#1270 Try to make a PR with getting sshd config to work with Fedora and RHEL8 and above.
Closed a year ago by smooge. Opened a year ago by smooge.
fedora-infra/ smooge/ansible try_to_add_ssh_items  into  main

@@ -2,9 +2,9 @@ 

  DEBUGINFOD_PORT="8002"

  #DEBUGINFOD_VERBOSE="-vv"

  

- DEBUGINFOD_PATHS="--fdcache-fds=2048 --fdcache-prefetch-mbs=4096 --fdcache-prefetch-fds=1024 -t43200 -g604800 -C20 -c6 -vv -R /mnt/fedora_koji_prod/koji/packages -X /data/ -I \.(module_f|fc)(32|33|34|35|36|37|38|39)[.+].*\.rpm"

+ DEBUGINFOD_PATHS="--fdcache-mintmp=15 --fdcache-mbs=8192 --fdcache-fds=2048 --fdcache-prefetch-mbs=4096 --fdcache-prefetch-fds=1024 -t43200 -g604800 -C20 -c6 -vv -r -R /mnt/fedora_koji_prod/koji/packages -X /data/ -I \.(module_f|fc)(33|34|35|36|37|38|39)[.+].*\.rpm"

  

- # to start aging old fedoras, change the -I regex, and add -r ("--regex-groom").

+ # to age old fedoras, change the -I regex

  

  # prefer reliability/durability over performance

  #DEBUGINFOD_PRAGMAS="-D 'pragma synchronous=full;'"

file modified
+1 -8
@@ -162,16 +162,9 @@ 

  buildvm-s390x-23.s390.fedoraproject.org

  buildvm-s390x-24.s390.fedoraproject.org

  buildvm-s390x-25.s390.fedoraproject.org

+ # These two have more cpu/memory for 'heavybuilder' channel

  buildvm-s390x-26.s390.fedoraproject.org

  buildvm-s390x-27.s390.fedoraproject.org

- buildvm-s390x-28.s390.fedoraproject.org

- buildvm-s390x-29.s390.fedoraproject.org

- buildvm-s390x-30.s390.fedoraproject.org

- #buildvm-s390x-31.s390.fedoraproject.org

- #buildvm-s390x-32.s390.fedoraproject.org

- #buildvm-s390x-33.s390.fedoraproject.org

- #buildvm-s390x-34.s390.fedoraproject.org

- #buildvm-s390x-35.s390.fedoraproject.org

  

  [buildvm_s390x:children]

  buildvm_s390x_zvm

file modified
+4 -9
@@ -204,11 +204,6 @@ 

  # Path to the openshift-ansible checkout as external git repo brought into

  # Fedora Infra

  openshift_ansible: /srv/web/infra/openshift-ansible/

- # This is the openshift wildcard cert. Until it exists set it equal to wildcard

- os_wildcard_cert_name: wildcard-2022.app.os.fedoraproject.org

- os_wildcard_crt_file: wildcard-2022.app.os.fedoraproject.org.cert

- os_wildcard_int_file: wildcard-2022.app.os.fedoraproject.org.intermediate.cert

- os_wildcard_key_file: wildcard-2022.app.os.fedoraproject.org.key

  postfix_group: "none"

  # This is a list of services that need to wait for VPN to be up before getting started.

  postvpnservices: []
@@ -265,10 +260,10 @@ 

  vpn: False

  # This is the wildcard certname for our proxies.  It has a different name for

  # the staging group and is used in the proxies.yml playbook.

- wildcard_cert_name: wildcard-2022.fedoraproject.org

- wildcard_crt_file: wildcard-2022.fedoraproject.org.cert

- wildcard_int_file: wildcard-2022.fedoraproject.org.intermediate.cert

- wildcard_key_file: wildcard-2022.fedoraproject.org.key

+ wildcard_cert_name: wildcard-2023.fedoraproject.org

+ wildcard_crt_file: wildcard-2023.fedoraproject.org.cert

+ wildcard_int_file: wildcard-2023.fedoraproject.org.intermediate.cert

+ wildcard_key_file: wildcard-2023.fedoraproject.org.key

  #

  # say if we want the apache role dependency for mod_wsgi or not

  # In some cases we want mod_wsgi and no apache (for python3 httpaio stuff)

@@ -13,3 +13,5 @@ 

    nrpe: false

    swap: false

  primary_auth_source: ipa

+ # exclude updating koji-containerbuild for now as it breaks our setup.

+ package_exlcudes: "koji-containerbuild*"

@@ -9,8 +9,8 @@ 

  lvm_size: 102400

  main_bridge: vmbr

  max_mem_size: "{{ mem_size }}"

- mem_size: 13312

- num_cpus: 2

+ mem_size: 17408

+ num_cpus: 3

  virt_install_command: "{{ virt_install_command_s390x_one_nic }}"

  vmhost: buildvmhost-s390x-01.s390.fedoraproject.org

  volgroup: /dev/fedora_linux_lpar_1

@@ -1,5 +1,5 @@ 

  checkcompose_env: staging

  checkcompose_env_suffix: .stg

- checkcompose_greenwaveurl: https://greenwave-web-greenwave.app.os.stg.fedoraproject.org

+ checkcompose_greenwaveurl: https://greenwave-web-greenwave.apps.ocp.stg.fedoraproject.org

  checkcompose_prod: false

  checkcompose_url: "https://{{ external_hostname }}"

@@ -16,9 +16,6 @@ 

  openqa_key: "{{ prod_openqa_apikey }}"

  # all our workers need NFS access

  openqa_nfs_workers: "{{ groups['openqa_workers'] }}"

- # install openQA from updates-testing - we want the 2022-11 git

- # builds and I don't want to wait for a week

- openqa_repo: updates-testing

  openqa_resultsdb_url: https://resultsdb.fedoraproject.org/api/v2.0/

  openqa_resultsdb_user: "{{ prod_resultsdb_httpd_user }}"

  openqa_resultsdb_password: "{{ prod_resultsdb_httpd_password }}"

@@ -18,9 +18,6 @@ 

  openqa_key: "{{ prod_openqa_apikey }}"

  # we are all NFS workers for now at least

  openqa_nfs_worker: true

- # install openQA from updates-testing, as of 2022-11 we want

- # the builds that have been tested on stg on prod too

- openqa_repo: updates-testing

  openqa_secret: "{{ prod_openqa_apisecret }}"

  openqa_workers: 4

  primary_auth_source: ipa

@@ -1,7 +1,4 @@ 

  ---

- os_app_url: app.os.fedoraproject.org

- os_url: os.fedoraproject.org

- 

  # Set the Bodhi variables

  bodhi_version: "6.0.1"

  bodhi_openshift_pods: 1

@@ -1,7 +1,4 @@ 

  ---

- os_app_url: app.os.stg.fedoraproject.org

- os_url: os.stg.fedoraproject.org

- 

  # Set the Bodhi variables

  bodhi_version: "6.0.1"

  bodhi_openshift_pods: 1

file modified
+4 -9
@@ -40,16 +40,11 @@ 

      name: eth0

      type: ethernet

      mtu: 9000

- ocp_wildcard_cert_file: wildcard-2022.apps.ocp.stg.fedoraproject.org.cert

+ ocp_wildcard_cert_file: wildcard-2023.apps.ocp.stg.fedoraproject.org.cert

  # This is the openshift wildcard cert for ocp stg

- ocp_wildcard_cert_name: wildcard-2022.apps.ocp.stg.fedoraproject.org

- ocp_wildcard_int_file: wildcard-2022.apps.ocp.stg.fedoraproject.org.intermediate.cert

- ocp_wildcard_key_file: wildcard-2022.apps.ocp.stg.fedoraproject.org.key

- os_wildcard_cert_file: wildcard-2022.app.os.stg.fedoraproject.org.cert

- # This is the openshift wildcard cert for stg

- os_wildcard_cert_name: wildcard-2022.app.os.stg.fedoraproject.org

- os_wildcard_int_file: wildcard-2022.app.os.stg.fedoraproject.org.intermediate.cert

- os_wildcard_key_file: wildcard-2022.app.os.stg.fedoraproject.org.key

+ ocp_wildcard_cert_name: wildcard-2023.apps.ocp.stg.fedoraproject.org

+ ocp_wildcard_int_file: wildcard-2023.apps.ocp.stg.fedoraproject.org.intermediate.cert

+ ocp_wildcard_key_file: wildcard-2023.apps.ocp.stg.fedoraproject.org.key

  # RIP, FAS

  primary_auth_source: ipa

  SSLCertificateChainFile: wildcard-2022.stg.fedoraproject.org.intermediate.cert

@@ -1,3 +1,6 @@ 

  ---

  eth0_ipv4_ip: 10.16.0.37

  volgroup: /dev/fedora_linux_scsi

+ mem_size: 34816

+ num_cpus: 6

+ lvm_size: 204800

@@ -1,3 +1,6 @@ 

  ---

  eth0_ipv4_ip: 10.16.0.38

  volgroup: /dev/fedora_linux_scsi

+ mem_size: 34816

+ num_cpus: 6

+ lvm_size: 204800

@@ -1,3 +0,0 @@ 

- ---

- eth0_ipv4_ip: 10.16.0.39

- volgroup: /dev/fedora_linux_scsi

@@ -1,3 +0,0 @@ 

- ---

- eth0_ipv4_ip: 10.16.0.40

- volgroup: /dev/fedora_linux_scsi

@@ -1,3 +0,0 @@ 

- ---

- eth0_ipv4_ip: 10.16.0.41

- volgroup: /dev/fedora_linux_scsi

@@ -1,3 +0,0 @@ 

- ---

- eth0_ipv4_ip: 10.16.0.42

- volgroup: /dev/fedora_linux_scsi

@@ -1,3 +0,0 @@ 

- ---

- eth0_ipv4_ip: 10.16.0.43

- volgroup: /dev/fedora_linux_scsi

@@ -1,3 +0,0 @@ 

- ---

- eth0_ipv4_ip: 10.16.0.44

- volgroup: /dev/fedora_linux_scsi

@@ -1,3 +0,0 @@ 

- ---

- eth0_ipv4_ip: 10.16.0.45

- volgroup: /dev/fedora_linux_scsi

@@ -1,3 +0,0 @@ 

- ---

- eth0_ipv4_ip: 10.16.0.46

- volgroup: /dev/fedora_linux_scsi

file modified
+1
@@ -1184,6 +1184,7 @@ 

  cloud_aws

  ibiblio_virt

  buildvm_s390x_zvm

+ buildvm_s390x_stg

  

  [iad2:children]

  iad2_production

@@ -9,7 +9,7 @@ 

  #

  

  - name: check for updates

-   hosts: distro_RedHat:distro_CentOS:!*.app.os.fedoraproject.org:!*.app.os.stg.fedoraproject.org

+   hosts: distro_RedHat:distro_CentOS:!ocp*:!worker*

    gather_facts: false

  

    tasks:
@@ -22,7 +22,7 @@ 

      when: yumoutput.results|length > 0

  

  - name: check for updates

-   hosts: distro_Fedora:!*.app.os.fedoraproject.org:!*.app.os.stg.fedoraproject.org

+   hosts: distro_Fedora:!ocp*:!worker*

    gather_facts: false

  

    tasks:

file modified
+2 -2
@@ -80,8 +80,8 @@ 

    - role: apache

  

    - role: httpd/certificate

-     certname: wildcard-2017.fedorapeople.org

-     SSLCertificateChainFile: wildcard-2017.fedorapeople.org.intermediate.cert

+     certname: wildcard-2023.fedorapeople.org

+     SSLCertificateChainFile: wildcard-2023.fedorapeople.org.intermediate.cert

  

    - people

  

@@ -16,13 +16,13 @@ 

    - role: httpd/mod_ssl

  

    - role: httpd/certificate

-     certname: wildcard-2022.fedoraproject.org

-     SSLCertificateChainFile: wildcard-2022.fedoraproject.org.intermediate.cert

+     certname: wildcard-2023.fedoraproject.org

+     SSLCertificateChainFile: wildcard-2023.fedoraproject.org.intermediate.cert

  

    - role: httpd/certificate

-     certname: wildcard-2022.fedoraproject.org

-     SSLCertificateChainFile: wildcard-2022.fedoraproject.org.intermediate.cert

- 

+     certname: wildcard-2023.fedoraproject.org

+     SSLCertificateChainFile: wildcard-2023.fedoraproject.org.intermediate.cert

+  

    - role: httpd/certificate

      certname: wildcard-2022.id.fedoraproject.org

      SSLCertificateChainFile: wildcard-2022.id.fedoraproject.org.intermediate.cert
@@ -38,26 +38,13 @@ 

      when: env == "staging"

  

    - role: httpd/certificate

-     certname: wildcard-2022.app.os.stg.fedoraproject.org

-     SSLCertificateChainFile: wildcard-2022.app.os.stg.fedoraproject.org.intermediate.cert

-     when: env == "staging"

-     tags:

-     - app.os.stg.fedoraproject.org

- 

-   - role: httpd/certificate

-     certname: wildcard-2022.apps.ocp.stg.fedoraproject.org

-     SSLCertificateChainFile: wildcard-2022.apps.ocp.stg.fedoraproject.org.intermediate.cert

+     certname: wildcard-2023.apps.ocp.stg.fedoraproject.org

+     SSLCertificateChainFile: wildcard-2023.apps.ocp.stg.fedoraproject.org.intermediate.cert

      when: env == "staging"

      tags:

      - apps.ocp.stg.fedoraproject.org

  

    - role: httpd/certificate

-     certname: wildcard-2022.app.os.fedoraproject.org

-     SSLCertificateChainFile: wildcard-2022.app.os.fedoraproject.org.intermediate.cert

-     tags:

-     - app.os.fedoraproject.org

- 

-   - role: httpd/certificate

      certname: wildcard-2022.apps.ocp.fedoraproject.org

      SSLCertificateChainFile: wildcard-2022.apps.ocp.fedoraproject.org.intermediate.cert

      tags:

@@ -659,50 +659,6 @@ 

      - zezere

  

    - role: httpd/website

-     site_name: os.fedoraproject.org

-     sslonly: true

-     cert_name: "{{wildcard_cert_name}}"

-     # The Connection and Upgrade headers don't work for h2

-     # So non-h2 is needed to fix websockets.

-     use_h2: false

-     tags:

-     - os.fedoraproject.org

- 

-   - role: httpd/website

-     site_name: app.os.fedoraproject.org

-     server_aliases: ["*.app.os.fedoraproject.org"]

-     sslonly: true

-     cert_name: "{{os_wildcard_cert_name}}"

-     SSLCertificateChainFile: "{{os_wildcard_int_file}}"

-     # The Connection and Upgrade headers don't work for h2

-     # So non-h2 is needed to fix websockets.

-     use_h2: false

-     tags:

-     - app.os.fedoraproject.org

- 

-   - role: httpd/website

-     site_name: os.stg.fedoraproject.org

-     sslonly: true

-     cert_name: "{{wildcard_cert_name}}"

-     # The Connection and Upgrade headers don't work for h2

-     # So non-h2 is needed to fix websockets.

-     use_h2: false

-     tags:

-     - os.stg.fedoraproject.org

- 

-   - role: httpd/website

-     site_name: app.os.stg.fedoraproject.org

-     server_aliases: ["*.app.os.stg.fedoraproject.org"]

-     sslonly: true

-     cert_name: "{{os_wildcard_cert_name}}"

-     SSLCertificateChainFile: "{{os_wildcard_int_file}}"

-     # The Connection and Upgrade headers don't work for h2

-     # So non-h2 is needed to fix websockets.

-     use_h2: false

-     tags:

-     - app.os.stg.fedoraproject.org

- 

-   - role: httpd/website

      site_name: ocp.stg.fedoraproject.org

      sslonly: true

      cert_name: "{{wildcard_cert_name}}"
@@ -943,7 +899,7 @@ 

    - role: httpd/website

      site_name: nagios.fedoraproject.org

      server_aliases: [nagios.stg.fedoraproject.org]

-     SSLCertificateChainFile: wildcard-2022.fedoraproject.org.intermediate.cert

+     SSLCertificateChainFile: wildcard-2023.fedoraproject.org.intermediate.cert

      sslonly: true

      cert_name: "{{wildcard_cert_name}}"

  

@@ -9,6 +9,13 @@ 

      - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  

    tasks:

+     - name: Configure the communishift virtualenv

+       ansible.builtin.pip:

+         name: "{{ communishift_package }}"

+       with_items: "{{ communishift_package_list }}"

+       loop_control:

+         loop_var: communishift_package

+ 

      - name: Communishift Role

        include_role:

          name: communishift
@@ -16,6 +23,7 @@ 

          apply:

            tags:

              - deploy-operators

+ 

      - name: Communishift Role

        with_items: "{{ communishift_projects }}"

        include_role:
@@ -29,6 +37,9 @@ 

        loop_control:

          loop_var: outer_item

    vars:

+     communishift_package_list:

+       - kubernetes

+       - boto3

      communishift_projects:

        - communishift-dev-test

        - communishift-mattdm

@@ -0,0 +1,19 @@ 

+ ---

+ - hosts: localhost

+   user: root

+   gather_facts: false

+ 

+   vars_files:

+     - /srv/web/infra/ansible/vars/global.yml

+     - "/srv/private/ansible/vars.yml"

+     - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

+ 

+   tasks:

+ 

+     - name: fas2discourse Role

+       include_role:

+         name: fas2discourse

+         tasks_from: administration-tasks

+         apply:

+           tags:

+             - generate-keytab

@@ -82,11 +82,6 @@ 

      template: buildconfig.yml

      objectname: buildconfig.yml

  

-   - role: openshift/start-build

-     app: coreos-ostree-importer

-     buildname: coreos-ostree-importer-build

-     objectname: coreos-ostree-importer-build

- 

    - role: openshift/object

      app: coreos-ostree-importer

      template: deploymentconfig.yml

@@ -27,11 +27,6 @@ 

      template: buildconfig.yml

      objectname: buildconfig.yml

  

-   - role: openshift/start-build

-     app: fedora-ostree-pruner

-     buildname: fedora-ostree-pruner-build

-     objectname: fedora-ostree-pruner-build

- 

    - role: openshift/object

      app: fedora-ostree-pruner

      template: deploymentconfig.yml

@@ -33,6 +33,7 @@ 

      servicename: frontend

      annotations:

          haproxy.router.openshift.io/set-forwarded-headers: append

+         haproxy.router.openshift.io/timeout: 180s

  

    tasks:

      - name: Apply objects

@@ -20,6 +20,7 @@ 

      appowners:

      - cverna

      - pingou

+     - t0xic0der

  

    - role: openshift/object

      app: mdapi

@@ -86,7 +86,6 @@ 

      app: noggin-centos

      routename: noggin

      host: "accounts{{ env_suffix }}.centos.org"

-     # host: "aco.app.os{{ env_suffix }}.fedoraproject.org"

      serviceport: web

      servicename: noggin-web

      annotations:

@@ -50,7 +50,7 @@ 

      - role: openshift/route

        app: test-auth

        routename: test-auth

-       host: "test-auth.app.os{{ env_suffix }}.fedoraproject.org"

+       host: "test-auth.apps.ocp{{ env_suffix }}.fedoraproject.org"

        serviceport: web

        servicename: test-auth

        annotations:

@@ -14,9 +14,11 @@ 

  -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

  

  # Established connections allowed

- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

  -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

  

+ # allow dhcp6d from aws

+ -A INPUT -d fe80::/64 -p udp -m udp --dport 546 --sport 547 -j ACCEPT

+ 

  # if the blocked_ips is defined - drop them

  {% if blocked_ip_v6 is defined %}

  {% for ip in blocked_ip_v6 %}

@@ -2,11 +2,11 @@ 

  

  Port {{ sshd_port }}

  

- {% if ansible_distribution_major_version|int == 6 %}

+ {% if ansible_distribution_major_version|int == 6 and ansible_distribution == 'RedHat' %}

  KexAlgorithms diffie-hellman-group-exchange-sha256

  MACs hmac-sha2-512,hmac-sha2-256

  Ciphers aes256-ctr,aes192-ctr,aes128-ctr

- {% elif ansible_distribution_major_version|int == 7 %}

+ {% elif ansible_distribution_major_version|int == 7 and ansible_distribution == 'RedHat' %}

  KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

  Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
@@ -19,7 +19,7 @@ 

  # Also look in /usr/lib/systemd/system/sshd.service for how it is called.

  {% endif %}

  

- {% if ansible_distribution_major_version|int >= 9 %}

+ {% if ansible_distribution_major_version|int >= 9 and ansible_distribution == 'RedHat' %}

  # To modify the system-wide sshd configuration, create a  *.conf  file under

  #  /etc/ssh/sshd_config.d/  which will be automatically included below

  Include /etc/ssh/sshd_config.d/*.conf
@@ -52,9 +52,9 @@ 

  X11Forwarding no

  PermitTunnel no

  

- {% if ansible_distribution_major_version == "6" %}

+ {% if ansible_distribution_major_version == "6" and ansible_distribution == 'RedHat' %}

  UsePrivilegeSeparation yes

- {% elif ansible_distribution_major_version == "7" %}

+ {% elif ansible_distribution_major_version == "7" and ansible_distribution == 'RedHat' %}

  UsePrivilegeSeparation sandbox

  {% endif %}

  

@@ -126,56 +126,6 @@ 

                                  'dest': os.path.join(FEDORAALTDEST, 'testing', '36', 'Modular')}

                                ]}}

                     },

-             'f35': {'topic': 'fedora',

-                     'version': '35',

-                     'modules': ['fedora', 'fedora-secondary'],

-                     'repos': {'updates': {

-                         'from': 'f35-updates',

-                         'ostrees': [{'ref': 'fedora/35/%(arch)s/updates/silverblue',

-                                      'dest': OSTREEDEST,

-                                      'arches': ['x86_64', 'ppc64le', 'aarch64']},

-                                     {'ref': 'fedora/35/%(arch)s/updates/kinoite',

-                                      'dest': OSTREEDEST,

-                                      'arches': ['x86_64', 'ppc64le', 'aarch64']}],

-                         'to': [{'arches': ['x86_64', 'armhfp', 'aarch64', 'source'],

-                                 'dest': os.path.join(FEDORADEST, '35', 'Everything')},

-                                {'arches': ['ppc64le', 's390x'],

-                                 'dest': os.path.join(FEDORAALTDEST, '35', 'Everything')}

-                               ]},

-                               'updates-testing': {

-                         'from': 'f35-updates-testing',

-                         'ostrees': [{'ref': 'fedora/35/%(arch)s/testing/silverblue',

-                                      'dest': OSTREEDEST,

-                                      'arches': ['x86_64', 'ppc64le', 'aarch64']},

-                                     {'ref': 'fedora/35/%(arch)s/testing/kinoite',

-                                      'dest': OSTREEDEST,

-                                      'arches': ['x86_64', 'ppc64le', 'aarch64']}],

-                         'to': [{'arches': ['x86_64', 'aarch64', 'armhfp', 'source'],

-                                 'dest': os.path.join(FEDORADEST, 'testing', '35', 'Everything')},

-                                {'arches': ['ppc64le', 's390x'],

-                                 'dest': os.path.join(FEDORAALTDEST, 'testing', '35', 'Everything')}

-                               ]}}

-                    },

-             'f35m': {'topic': 'fedora',

-                     'version': '35m',

-                     'modules': ['fedora', 'fedora-secondary'],

-                     'repos': {'updates': {

-                         'from': 'f35-modular-updates',

-                         'ostrees': [],

-                         'to': [{'arches': ['x86_64', 'aarch64', 'armhfp', 'source'],

-                                 'dest': os.path.join(FEDORADEST, '35', 'Modular')},

-                                {'arches': ['ppc64le', 's390x'],

-                                 'dest': os.path.join(FEDORAALTDEST, '35', 'Modular')}

-                               ]},

-                               'updates-testing': {

-                         'from': 'f35-modular-updates-testing',

-                         'ostrees': [],

-                         'to': [{'arches': ['x86_64', 'aarch64', 'armhfp', 'source'],

-                                 'dest': os.path.join(FEDORADEST, 'testing', '35', 'Modular')},

-                                {'arches': ['ppc64le', 's390x'],

-                                 'dest': os.path.join(FEDORAALTDEST, 'testing', '35', 'Modular')}

-                               ]}}

-                    },

              'epel9': {'topic': 'epel',

                        'version': '9',

                        'modules': ['epel'],

@@ -87,7 +87,7 @@ 

    # bodhi2/backend/files/koji_sync_listener.py

    # This cronjob runs only once a day.  The listener script runs reactively.

    cron: name="owner-sync" minute="15" hour="4" user="root"

-       job="/usr/local/bin/lock-wrapper owner-sync '/usr/local/bin/owner-sync-pagure f38 f38-container f38-modular f37 f37-container f37-modular f36 f36-container f36-modular f35 f35-container f35-modular epel9 epel9-next epel8 epel8-next epel8-modular epel7 module-package-list modular'"

+       job="/usr/local/bin/lock-wrapper owner-sync '/usr/local/bin/owner-sync-pagure f38 f38-container f38-modular f37 f37-container f37-modular f36 f36-container f36-modular epel9 epel9-next epel8 epel8-next epel8-modular epel7 module-package-list modular'"

        cron_file=update-koji-owner

        user=apache

    when: env == "production"

@@ -48,10 +48,6 @@ 

      "f36-container",

      "f36-modular",

      "f36-flatpak",

-     "f35",

-     "f35-container",

-     "f35-modular",

-     "f35-flatpak",

      "epel9",

      "epel9-next",

      "epel8",

@@ -630,7 +630,7 @@ 

  

  # Groups that can push updates for any package

  # admin_packager_groups = provenpackager releng security_respons

- admin_packager_groups = provenpackager releng-team security_respons

+ admin_packager_groups = provenpackager releng-team security_respons bodhi_update_bots

  

  # User must be a member of this group to submit updates

  # mandatory_packager_groups = packager

@@ -1,4 +1,3 @@ 

- 

  module fi-collectd 1.10.0;

  

  require {
@@ -15,6 +14,7 @@ 

      type var_run_t;

      type anon_inodefs_t;

      type initrc_t;

+  lgtype proc_net_t;

  

      class capability { kill setuid dac_read_search sys_ptrace setgid dac_override };

      class dir { getattr read };
@@ -39,3 +39,4 @@ 

  allow collectd_t var_run_t:sock_file { read write getattr };

  allow collectd_t anon_inodefs_t:file { write read };

  allow collectd_t initrc_t:unix_stream_socket connectto;

+ atlow collectd_t proc_net_t:lnk_file read;

@@ -1,4 +1,5 @@ 

- ---

+ 

+ 

  # collectd client setup

  

  # install pkg
@@ -149,7 +150,6 @@ 

  

  - name: copy over our pstorefs/collectd selinux module (rhel6 has no pstorefs)

    copy: src=selinux/fi-pstorefs.pp dest=/usr/share/collectd/fi-pstorefs.pp

-   when: ansible_distribution_major_version|int != 6

    register: ficpstorefs_module

    tags:

    - collectd
@@ -157,7 +157,6 @@ 

  

  - name: check to see if its even installed yet

    shell: semodule -l | grep fi-pstorefs | wc -l

-   when: ansible_distribution_major_version|int != 6

    register: ficpstorefs_grep

    check_mode: no

    changed_when: "'0' in ficpstorefs_grep.stdout"
@@ -167,7 +166,7 @@ 

  

  - name: install our pstorefs/collectd selinux module

    command: semodule -i /usr/share/collectd/fi-pstorefs.pp

-   when: ansible_distribution_major_version|int != 6 and (ficpstorefs_module is changed or ficpstorefs_grep is changed)

+   when: (ficpstorefs_module is changed or ficpstorefs_grep is changed)

    tags:

    - collectd

    - selinux

@@ -131,6 +131,9 @@ 

    vars:

      packages:

        - copr-builder

+       # A new version of rpmlint fixes the following issue

+       # https://pagure.io/FedoraReview/issue/461

+       - rpmlint

  

  - name: put updated mock configs into /etc/mock

    copy: src=files/mock/ dest=/etc/copr-rpmbuild/mock-config-overrides

@@ -1,2 +0,0 @@ 

- [OOM]

- SwapUsedLimit=80

@@ -29,11 +29,13 @@ 

    tags:

    - config

  

- - name: install custom systemd service files

-   copy: src=systemd dest=/etc

-   tags:

-   - config

-   notify: restart systemd-oomd

+ # https://bugzilla.redhat.com/show_bug.cgi?id=1941170

+ - name: mask the systemd-oomd service

+   systemd:

+     name: systemd-oomd

+     state: stopped

+     enabled: no

+     masked: yes

  

  - name: configure crond

    copy: src=sysconfig.crond dest=/etc/sysconfig/crond

@@ -129,7 +129,7 @@ 

    tags:

    - selinux

  

- - name: Create CGIT config file if it does not exist (takes even 30 minutes)

+ - name: Create CGIT config file if it does not exist (takes almost an hour)

    command: /usr/bin/copr-dist-git-refresh-cgit creates=/var/cache/cgit/repo-configuration.rc

  

  - name: ensure that .config directory exists

@@ -5,6 +5,5 @@ 

  #     $ dnf diff copr-frontend /etc/cron.hourly/copr-frontend-optional

  # to see our changes, and perhaps update when appropriate.

  

- # disabled during movement to aws

- # runuser -c '/usr/share/copr/coprs_frontend/run/check_for_anitya_version_updates.py --backend pypi --delta=172800 &> /dev/null' - copr-fe

+ runuser -c '/usr/share/copr/coprs_frontend/run/check_for_anitya_version_updates.py --backend pypi --delta=172800 &> /dev/null' - copr-fe

  runuser -c '/usr/share/copr/coprs_frontend/run/check_for_anitya_version_updates.py --backend rubygems --delta=172800 &> /dev/null' - copr-fe

@@ -56,13 +56,13 @@ 

    - selinux

  

  - name: Copy wildcard cert from puppet private

-   copy: src="{{private}}/files/httpd/wildcard-2022.fedoraproject.org.cert" dest=/etc/pki/tls/certs/wildcard-2022.fedoraproject.org.cert owner=root group=root mode=0644

+   copy: src="{{private}}/files/httpd/wildcard-2023.fedoraproject.org.cert" dest=/etc/pki/tls/certs/wildcard-2023.fedoraproject.org.cert owner=root group=root mode=0644

  

  - name: Copy wildcard key from puppet private

-   copy: src="{{private}}/files/httpd/wildcard-2022.fedoraproject.org.key" dest=/etc/pki/tls/private/wildcard-2022.fedoraproject.org.key owner=root group=root mode=0600

+   copy: src="{{private}}/files/httpd/wildcard-2023.fedoraproject.org.key" dest=/etc/pki/tls/private/wildcard-2023.fedoraproject.org.key owner=root group=root mode=0600

  

  - name: Copy intermediate wildcard cert from puppet private

-   copy: src="{{private}}/files/httpd/wildcard-2022.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2022.fedoraproject.org.intermediate.cert owner=root group=root mode=0644

+   copy: src="{{private}}/files/httpd/wildcard-2023.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2023.fedoraproject.org.intermediate.cert owner=root group=root mode=0644

  

  - name: Configure httpd dl main conf

    template: src=httpd/dl.fedoraproject.org.conf dest=/etc/httpd/conf.d/dl.fedoraproject.org.conf

@@ -0,0 +1,1 @@ 

+ fas2discourse_hostname: "fas2discourse.hostna.me"

@@ -0,0 +1,2 @@ 

+ ---

+ - include_tasks: create-keytab.yml

@@ -0,0 +1,24 @@ 

+ ---

+ 

+ - name: Create the fas2discourse keytab path on the batcave01

+   file:

+     path: "/etc/openshift_apps/fas2discourse/"

+     state: directory

+     owner: root

+     group: root

+     mode: 0750

+   tags:

+     - create-keytab

+ 

+ 

+ - name: Acquire a keytab

+   include_role:

+     name: keytab/service

+   vars:

+     kt_location:

+       "/etc/openshift_apps/fas2discourse/fas2discourse-keytab.kt"

+     service: "fas2discourse"

+     host: "{{ fas2discourse_hostname }}"

+   tags:

+     - create-keytab

+ 

empty or binary file added
@@ -98,8 +98,8 @@ 

  

  - name: put our combined cert in place

    copy: >

-     src={{private}}/files/httpd/wildcard-2022.fedoraproject.org.combined.cert

-     dest=/etc/pki/tls/certs/wildcard-2022.fedoraproject.org.combined.cert

+     src={{private}}/files/httpd/wildcard-2023.fedoraproject.org.combined.cert

+     dest=/etc/pki/tls/certs/wildcard-2023.fedoraproject.org.combined.cert

      owner=root group=root mode=0644

    notify: restart stunnel

    tags:

@@ -1,5 +1,5 @@ 

- cert = /etc/pki/tls/certs/wildcard-2022.fedoraproject.org.combined.cert

- key = /etc/pki/tls/private/wildcard-2022.fedoraproject.org.key

+ cert = /etc/pki/tls/certs/wildcard-2023.fedoraproject.org.combined.cert

+ key = /etc/pki/tls/private/wildcard-2023.fedoraproject.org.key

  pid = /var/run/stunnel.pid

  

  [{{ stunnel_service }}]

@@ -8,7 +8,7 @@ 

  certbot: false

  ssl: true

  sslonly: false

- SSLCertificateChainFile: wildcard-2022.fedoraproject.org.intermediate.cert

+ SSLCertificateChainFile: wildcard-2023.fedoraproject.org.intermediate.cert

  gzip: false

  stssubdomains: true

  # set to true to enable the proxy to redirect the http01 challenge

@@ -5,7 +5,7 @@ 

  global enabled = fas

  fas preconfigured=True

  fas aws idp arn=arn:aws:iam::125523088429:saml-provider/id.fedoraproject.org

- fas aws groups=[["aws-master", "arn:aws:iam::125523088429:role/aws-master"], ["aws-iam", "arn:aws:iam::125523088429:role/aws-iam"], ["aws-billing", "arn:aws:iam::125523088429:role/aws-billing"], ["aws-atomic", "arn:aws:iam::125523088429:role/aws-atomic"], ["aws-s3-readonly", "arn:aws:iam::125523088429:role/aws-s3-readonly"], ["aws-fedoramirror", "arn:aws:iam::125523088429:role/aws-fedoramirror"], ["aws-s3", "arn:aws:iam::125523088429:role/aws-s3"], ["aws-cloud-poc", "arn:aws:iam::125523088429:role/aws-cloud-poc"], ["aws-infra", "arn:aws:iam::125523088429:role/aws-infra"], ["aws-docs", "arn:aws:iam::125523088429:role/aws-docs"], ["aws-copr", "arn:aws:iam::125523088429:role/aws-copr"], ["aws-centos", "arn:aws:iam::125523088429:role/aws-centos"], ["aws-min", "arn:aws:iam::125523088429:role/aws-min"], ["aws-fedora-ci", "arn:aws:iam::125523088429:role/aws-fedora-ci"], ["aws-fcos-mgmt", "arn:aws:iam::125523088429:role/aws-fcos-mgmt"], ["aws-qa", "arn:aws:iam::125523088429:role/aws-qa"], ["aws-fcos-s3-readonly", "arn:aws:iam::125523088429:role/aws-fcos-s3-readonly"]]

+ fas aws groups=[["aws-master", "arn:aws:iam::125523088429:role/aws-master"], ["aws-iam", "arn:aws:iam::125523088429:role/aws-iam"], ["aws-billing", "arn:aws:iam::125523088429:role/aws-billing"], ["aws-atomic", "arn:aws:iam::125523088429:role/aws-atomic"], ["aws-s3-readonly", "arn:aws:iam::125523088429:role/aws-s3-readonly"], ["aws-fedoramirror", "arn:aws:iam::125523088429:role/aws-fedoramirror"], ["aws-s3", "arn:aws:iam::125523088429:role/aws-s3"], ["aws-cloud-poc", "arn:aws:iam::125523088429:role/aws-cloud-poc"], ["aws-infra", "arn:aws:iam::125523088429:role/aws-infra"], ["aws-docs", "arn:aws:iam::125523088429:role/aws-docs"], ["aws-copr", "arn:aws:iam::125523088429:role/aws-copr"], ["aws-centos", "arn:aws:iam::125523088429:role/aws-centos"], ["aws-min", "arn:aws:iam::125523088429:role/aws-min"], ["aws-fedora-ci", "arn:aws:iam::125523088429:role/aws-fedora-ci"], ["aws-fcos-mgmt", "arn:aws:iam::125523088429:role/aws-fcos-mgmt"], ["aws-qa", "arn:aws:iam::125523088429:role/aws-qa"], ["aws-fcos-s3-readonly", "arn:aws:iam::125523088429:role/aws-fcos-s3-readonly"], ["aws-fpl", "arn:aws:iam::125523088429:role/aws-fpl"]]

  

  [authz_config]

  global enabled=allow

@@ -191,7 +191,6 @@ 

      tag f38-build :: allow

      tag f37-build :: allow

      tag f36-build :: allow

-     tag f35-build :: allow

      tag eln-build :: allow

      tag epel9-next-build :: allow

      tag epel9-build :: allow

@@ -1,3 +1,30 @@ 

+  

+ hanks,

+ > 

+ > Stefan...

+ > 

+ > 

+ > On Mon, Jan 9, 2023 at 4:37 PM Kevin Fenzi <kfenzi@redhat.com> wrote:

+ > 

+ > > Hey Stef,

+ > >

+ > > Just wondering what the current status is on the REQ to replace Mark?

+ > >

+ > > I know the job got posted before the holidays, and I heard some internal

+ > > folks were interested...

+ > >

+ > > kevin

+ > >

+ > >

+ > 

+ > -- 

+ > Thanks,

+ > 

+ > STEFAN MaTTEJIET

+ > 

+ > Engineering Manager

+ > 

+ > smattejiet@redhat.com    T: +353-(0)51-810-154

  #test policy file

  #earlier = higher precedence!

  
@@ -143,6 +170,9 @@ 

      sig fedora-epel-7 && age < 12 weeks :: keep

      sig fedora-epel-8 && age < 12 weeks :: keep

  

+     # Do not GC stuff in pending tags, it is likely just going out in an update

+     tag *pending :: keep

+ 

      #stuff to chuck semi-rapidly

      tag *-testing *-candidate *-override && order >= 2 :: untag

      tag *-testing *-candidate && order > 0 && age > 6 weeks :: untag

@@ -4,7 +4,7 @@ 

  

  KeepAlive On

  

- Alias /kojihub /usr/share/koji-hub/kojixmlrpc.py

+ Alias /kojihub /usr/share/koji-hub/kojiapp.py

  

  <Directory "/usr/share/koji-hub">

      Options ExecCGI

@@ -1,28 +0,0 @@ 

- data:

-   description: Fedora 35 traditional base

-   license:

-     module: [MIT]

-   name: platform

-   profiles:

-     buildroot:

-       rpms: [bash, bzip2, coreutils, cpio, diffutils, fedora-release, findutils, gawk,

-         glibc-minimal-langpack, grep, gzip, info, make, patch, redhat-rpm-config,

-         rpm-build, sed, shadow-utils, tar, unzip, util-linux, which, xz]

-     srpm-buildroot:

-       rpms: [bash, fedora-release, fedpkg-minimal, glibc-minimal-langpack, gnupg2,

-         redhat-rpm-config, rpm-build, shadow-utils]

-   stream: f35

-   summary: Fedora 35 traditional base

-   context: 00000000

-   version: 1

-   xmd:

-     mbs:

-       buildrequires: {}

-       commit: f35

-       requires: {}

-       koji_tag: module-f35-build

-       mse: TRUE

-       virtual_streams: [fedora]

- document: modulemd

- version: 1

-    

\ No newline at end of file

@@ -151,7 +151,6 @@ 

        - openqa

        - openqa-httpd

        - openqa-plugin-fedora-messaging

-       - openqa-plugin-fedoraupdaterestart

      state: latest

      enablerepo: "{{ openqa_repo }}"

    tags:

@@ -7,7 +7,7 @@ 

  spec:

    source:

      type: Git

-     contextDir: coreos-ostree-importer

+     contextDir: fedora-ostree-pruner

      git:

  {% if env == "staging" %}

        ref: fedora-infra-staging
@@ -21,7 +21,7 @@ 

      dockerStrategy:

        from:

          kind: ImageStreamTag

-         name: fedora:36

+         name: fedora:37

    output:

      to:

        kind: ImageStreamTag

@@ -20,14 +20,18 @@ 

        - name: fedora-ostree-pruner

          # sleep infinity is useful for debugging environment issues

          # comment out when not debugging

-         args: ['infinity']

-         command: ['/usr/bin/sleep']

+         #args: ['infinity']

+         #command: ['/usr/bin/sleep']

          volumeMounts:

          - name: fedora-ostree-content-volume

            mountPath: /mnt/koji

          image: ""

          imagePullPolicy: IfNotPresent

          resources: {}

+       # The files in the ostree volumes are created with group ownership of 263.

+       # We need to have 263 in our supplemental groups. See https://pagure.io/releng/issue/8811#comment-629051

+       securityContext:

+         supplementalGroups: [263]

        volumes:

        - name: fedora-ostree-content-volume

          persistentVolumeClaim:

@@ -12,11 +12,11 @@ 

      lookupPolicy:

        local: false

      tags:

-     - name: "36"

+     - name: "37"

        from:

          kind: DockerImage

-         name: registry.fedoraproject.org/fedora:36

-       importPolicy: 

+         name: registry.fedoraproject.org/fedora:37

+       importPolicy:

          scheduled: true

        referencePolicy:

          type: Source

@@ -146,7 +146,6 @@ 

    # to include whatever version Rawhide is, as openQA tests don't run

    # on Rawhide. So for now this list needs to be updated each time a

    # release is branched (or goes EOL).

-   - fedora-35

    - fedora-36

    - fedora-37

  decision_contexts:
@@ -173,7 +172,6 @@ 

  # groups. workstation does not include standard, so these aren't gating

  # for that group

  product_versions:

-   - fedora-35

    - fedora-36

    - fedora-37

  decision_contexts:
@@ -209,7 +207,6 @@ 

  # these tests are gating for updates in core, base, standard and kde

  # critpath groups.

  product_versions:

-   - fedora-35

    - fedora-36

    - fedora-37

  decision_contexts:
@@ -246,7 +243,6 @@ 

  # these tests are gating for updates in core, base, standard and server

  # critpath groups.

  product_versions:

-   - fedora-35

    - fedora-36

    - fedora-37

  decision_contexts:
@@ -291,7 +287,6 @@ 

  --- !Policy

  id: "bodhiupdate_bodhipush_openqa_upgrade_server"

  product_versions:

-   - fedora-36

    - fedora-37

  decision_contexts:

    - bodhi_update_push_testing_critpath
@@ -313,7 +308,6 @@ 

  --- !Policy

  id: "bodhiupdate_bodhipush_openqa_upgrade_workstation"

  product_versions:

-   - fedora-36

    - fedora-37

  decision_contexts:

    - bodhi_update_push_testing_critpath

@@ -17,8 +17,11 @@ 

            containers:

            - name: mdapi

              image: image-registry.openshift-image-registry.svc:5000/mdapi/mdapi:latest

-             command: ["bash", "-c", "/code/mdapi-get_repo_md /etc/mdapi/mdapi.cfg"]

+             command: ["bash", "-c", "/usr/local/bin/mdapi --conffile /etc/mdapi/confdata/myconfig.py database"]

              volumeMounts:

+             - name: myconfigpy-volume

+               mountPath: /etc/mdapi/confdata/

+               readOnly: true

              - name: config-volume

                mountPath: /etc/mdapi

                readOnly: true
@@ -38,6 +41,10 @@ 

                readOnly: true

            restartPolicy: Never

            volumes:

+           - name: myconfigpy-volume

+             configMap:

+                 defaultMode: 420

+                 name: mdapi-myconfigpy-configmap

            - name: config-volume

              configMap:

                  defaultMode: 420

@@ -23,6 +23,9 @@ 

          ports:

          - containerPort: 8080

          volumeMounts:

+           - name: myconfigpy-volume

+             mountPath: /etc/mdapi/confdata/

+             readOnly: true

            - name: config-volume

              mountPath: /etc/mdapi/

              readOnly: true
@@ -47,6 +50,9 @@ 

         - name: config-volume

           configMap:

             name: mdapi-configmap

+        - name: myconfigpy-volume

+          configMap:

+            name: mdapi-myconfigpy-configmap

         - name: data-volume

           persistentVolumeClaim:

             claimName: mdapi-storage

@@ -7,10 +7,11 @@ 

  spec:

    source:

      git:

-       uri: https://pagure.io/mdapi.git

  {% if env == 'staging' %}

-       ref: "staging"

+       uri: https://github.com/fedora-infra/mdapi.git

+       ref: "develop"

  {% else %}

+       uri: https://pagure.io/mdapi.git

        ref: "production"

  {% endif %}

    strategy:

@@ -13,6 +13,16 @@ 

  apiVersion: v1

  kind: ConfigMap

  metadata:

+   name: mdapi-myconfigpy-configmap

+   labels:

+     app: mdapi

+ data:

+   myconfig.py: |-

+     {{ load_file('myconfig.py') | indent }}

+ ---

+ apiVersion: v1

+ kind: ConfigMap

+ metadata:

    name: fedora-messaging-configmap

    labels:

      app: mdapi

@@ -0,0 +1,89 @@ 

+ """

+ mdapi

+ Copyright (C) 2015-2022 Red Hat, Inc.

+ 

+ This program is free software: you can redistribute it and/or modify

+ it under the terms of the GNU General Public License as published by

+ the Free Software Foundation, either version 3 of the License, or

+ (at your option) any later version.

+ 

+ This program is distributed in the hope that it will be useful,

+ but WITHOUT ANY WARRANTY; without even the implied warranty of

+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ GNU General Public License for more details.

+ 

+ You should have received a copy of the GNU General Public License

+ along with this program.  If not, see <https://www.gnu.org/licenses/>.

+ 

+ Any Red Hat trademarks that are incorporated in the source

+ code or documentation are not subject to the GNU General Public

+ License and may only be used or replicated with the express permission

+ of Red Hat, Inc.

+ """

+ 

+ """

+ mdapi default configuration.

+ """

+ 

+ # url to the database server:

+ DB_FOLDER = "/var/tmp"

+ 

+ LOGGING = {

+     "version": 1,

+     "disable_existing_loggers": False,

+     "formatters": {

+         "standard": {

+             "format": "%(asctime)s [%(levelname)s] %(message)s",

+             "datefmt": "[%Y-%m-%d %I:%M:%S %z]",

+         },

+     },

+     "handlers": {

+         "console": {

+             "level": "INFO",

+             "formatter": "standard",

+             "class": "logging.StreamHandler",

+             "stream": "ext://sys.stdout",

+         },

+     },

+     # The root logger configuration; this is a catch-all configuration

+     # that applies to all log messages not handled by a different logger

+     "root": {

+         "level": "INFO",

+         "handlers": ["console"],

+     },

+ }

+ 

+ """

+ Database fetching configuration

+ """

+ 

+ KOJI_REPO = "https://kojipkgs.fedoraproject.org/repos"

+ PKGDB2_URL = "https://admin.fedoraproject.org/pkgdb"

+ DL_SERVER = "https://dl.fedoraproject.org"

+ 

+ # Enforce, or not, checking the SSL certs

+ PKGDB2_VERIFY = True

+ 

+ # Valid for both koji and the download server

+ DL_VERIFY = True

+ 

+ # Whether to publish to Fedora Messaging

+ PUBLISH_CHANGES = False

+ 

+ # How long to wait between retries if processing failed

+ CRON_SLEEP = 30

+ 

+ repomd_xml_namespace = {

+     "repo": "http://linux.duke.edu/metadata/repo",

+     "rpm": "http://linux.duke.edu/metadata/rpm",

+ }

+ 

+ """

+ Application service configuration

+ """

+ 

+ APPSERVE = {

+     "logging": {"level": LOGGING["root"]["level"]},

+     "bind": "0.0.0.0:8080",

+     "worker_class": "aiohttp.GunicornUVLoopWebWorker",

+ }

@@ -321,6 +321,15 @@ 

  propagate = false

  handlers = ["console"]

  

+ [log_config.loggers.toddlers.utils.pagure]

+ {% if env == "staging" %}

+ level = "DEBUG"

+ {% else %}

+ level = "INFO"

+ {% endif %}

+ propagate = false

+ handlers = ["console"]

+ 

  [log_config.loggers.toddlers.plugins.pdc_retired_packages]

  {% if env == "staging" %}

  level = "DEBUG"
@@ -348,6 +357,15 @@ 

  propagate = false

  handlers = ["console"]

  

+ [log_config.loggers.toddlers.plugins.scm_request_processor]

+ {% if env == "staging" %}

+ level = "DEBUG"

+ {% else %}

+ level = "INFO"

+ {% endif %}

+ propagate = false

+ handlers = ["console"]

+ 

  [log_config.root]

  level = "ERROR"

  handlers = ["console"]

@@ -130,9 +130,9 @@ 

    </Location>

  

    # Drop distributed web hits

-   RewriteEngine On

-   RewriteCond %{REQUEST_URI} ^/fedora-web/websites$

-   RewriteRule .* - [F]

+   #RewriteEngine On

+   #RewriteCond %{REQUEST_URI} ^/fedora-web/websites$

+   #RewriteRule .* - [F]

  

    <Location /apache-status>

        SetHandler server-status

file modified
+6 -5
@@ -21,11 +21,12 @@ 

    - packages

    - people

  

- #- name: install main httpd config

- #  template: src=people.conf dest=/etc/httpd/conf.d/people.conf

- #  tags:

- #  - people

- #  - sslciphers

+ 

+ - name: install main httpd config

+   template: src=people.conf dest=/etc/httpd/conf.d/people.conf

+   tags:

+   - people

+   - sslciphers

  

  - name: install httpd config

    copy: src={{item}} dest=/etc/httpd/conf.d/{{item}}

@@ -27,9 +27,9 @@ 

    DocumentRoot /srv/people/site

  

    SSLEngine on

-   SSLCertificateFile    /etc/pki/tls/certs/wildcard-2017.fedorapeople.org.cert

-   SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2017.fedorapeople.org.key

-   SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2017.fedorapeople.org.intermediate.cert

+   SSLCertificateFile    /etc/pki/tls/certs/wildcard-2023.fedorapeople.org.cert

+   SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2023.fedorapeople.org.key

+   SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2023.fedorapeople.org.intermediate.cert

    SSLHonorCipherOrder On

    SSLCipherSuite {{ ssl_ciphers }}

    SSLProtocol {{ ssl_protocols }}

@@ -63,7 +63,7 @@ 

        "dist_tag": ".fc35",

        "koji_name": "f35",

        "name": "Fedora Linux",

-       "status": "Active",

+       "status": "EOL",

        "version": "35"

      },

      {
@@ -74,7 +74,7 @@ 

        "dist_tag": ".fc35",

        "koji_name": "f35",

        "name": "Fedora",

-       "status": "Active",

+       "status": "EOL",

        "version": "35"

      },

      {

@@ -67,7 +67,7 @@ 

      SSLEngine on

      SSLCertificateFile    /etc/pki/tls/certs/planet.fedoraproject.org.cert

      SSLCertificateKeyFile /etc/pki/tls/private/planet.fedoraproject.org.key

-     SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2017.fedorapeople.org.intermediate.cert

+     SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2023.fedorapeople.org.intermediate.cert

      SSLHonorCipherOrder On

      SSLProtocol {{ ssl_protocols }}

      SSLCipherSuite {{ ssl_ciphers }}

@@ -7,5 +7,5 @@ 

  15 6 * * * root TMPDIR=`mktemp -d /tmp/CloudF36.XXXXXX` && chmod 755 $TMPDIR && pushd $TMPDIR && git clone -n https://pagure.io/pungi-fedora.git && cd pungi-fedora && git checkout f36 && LANG=en_US.UTF-8 ./cloud-nightly.sh RC-$(date "+\%Y\%m\%d").0 && popd && rm -rf $TMPDIR

  

  # Fedora 35 Cloud nightly compose

- MAILTO=releng-cron@lists.fedoraproject.org

- 15 7 * * * root TMPDIR=`mktemp -d /tmp/CloudF35.XXXXXX` && chmod 755 $TMPDIR && pushd $TMPDIR && git clone -n https://pagure.io/pungi-fedora.git && cd pungi-fedora && git checkout f35 && LANG=en_US.UTF-8 ./cloud-nightly.sh RC-$(date "+\%Y\%m\%d").0 && popd && rm -rf $TMPDIR

+ #MAILTO=releng-cron@lists.fedoraproject.org

+ #15 7 * * * root TMPDIR=`mktemp -d /tmp/CloudF35.XXXXXX` && chmod 755 $TMPDIR && pushd $TMPDIR && git clone -n https://pagure.io/pungi-fedora.git && cd pungi-fedora && git checkout f35 && LANG=en_US.UTF-8 ./cloud-nightly.sh RC-$(date "+\%Y\%m\%d").0 && popd && rm -rf $TMPDIR

@@ -3,8 +3,8 @@ 

  45 5 * * * root TMPDIR=`mktemp -d /tmp/containerF37.XXXXXX` && chmod 755 $TMPDIR && pushd $TMPDIR && git clone -n https://pagure.io/pungi-fedora.git && cd pungi-fedora && git checkout f37 && LANG=en_US.UTF-8 ./container-nightly.sh RC-$(date "+\%Y\%m\%d").0 && popd && rm -rf $TMPDIR

  

  # Fedora 35 Container Updates nightly compose

- MAILTO=releng-cron@lists.fedoraproject.org

- 45 6 * * * root TMPDIR=`mktemp -d /tmp/containerF35.XXXXXX` && chmod 755 $TMPDIR && pushd $TMPDIR && git clone -n https://pagure.io/pungi-fedora.git && cd pungi-fedora && git checkout f35 && LANG=en_US.UTF-8 ./container-nightly.sh RC-$(date "+\%Y\%m\%d").0 && popd && rm -rf $TMPDIR

+ #MAILTO=releng-cron@lists.fedoraproject.org

+ #45 6 * * * root TMPDIR=`mktemp -d /tmp/containerF35.XXXXXX` && chmod 755 $TMPDIR && pushd $TMPDIR && git clone -n https://pagure.io/pungi-fedora.git && cd pungi-fedora && git checkout f35 && LANG=en_US.UTF-8 ./container-nightly.sh RC-$(date "+\%Y\%m\%d").0 && popd && rm -rf $TMPDIR

  

  # Fedora 36 Container Updates nightly compose

  MAILTO=releng-cron@lists.fedoraproject.org

@@ -108,12 +108,6 @@ 

              keyid = "{{ (env == 'production')|ternary('47dd8ef9', 'd300e724') }}"

  

              [[consumer_config.koji_instances.primary.tags]]

-             from = "f35-infra-candidate"

-             to = "f35-infra-stg"

-             key = "{{ (env == 'production')|ternary('fedora-infra', 'testkey') }}"

-             keyid = "{{ (env == 'production')|ternary('47dd8ef9', 'd300e724') }}"

- 

-             [[consumer_config.koji_instances.primary.tags]]

              from = "f36-infra-candidate"

              to = "f36-infra-stg"

              key = "{{ (env == 'production')|ternary('fedora-infra', 'testkey') }}"
@@ -143,12 +137,6 @@ 

              # Gated coreos-pool tag

  

              [[consumer_config.koji_instances.primary.tags]]

-             from = "f35-coreos-signing-pending"

-             to = "coreos-pool"

-             key = "{{ (env == 'production')|ternary('fedora-35', 'testkey') }}"

-             keyid = "{{ (env == 'production')|ternary('9867c58f', 'd300e724') }}"

- 

-             [[consumer_config.koji_instances.primary.tags]]

              from = "f36-coreos-signing-pending"

              to = "coreos-pool"

              key = "{{ (env == 'production')|ternary('fedora-36', 'testkey') }}"
@@ -309,42 +297,6 @@ 

              keyid = "{{ (env == 'production')|ternary('38ab71f4', 'd300e724') }}"

              type = "modular"

  

-             [[consumer_config.koji_instances.primary.tags]]

-             from = "f35-signing-pending"

-             to = "f35-updates-testing-pending"

-             key = "{{ (env == 'production')|ternary('fedora-35', 'testkey') }}"

-             keyid = "{{ (env == 'production')|ternary('9867c58f', 'd300e724') }}"

-             {% if env == "production" %}

-             # ima file signing - disable for now per fesco

-             # file_signing_key = "fedora-files-2021"

-             {% endif %}

- 

-             [consumer_config.koji_instances.primary.tags.sidetags]

-             pattern = 'f35-build-side-<seq_id>'

-             from = '<sidetag>-signing-pending'

-             to = '<sidetag>-testing-pending'

-             trusted_taggers = ['bodhi']

- 

-             [[consumer_config.koji_instances.primary.tags]]

-             from = "f35-pending"

-             to = "f35"

-             key = "{{ (env == 'production')|ternary('fedora-35', 'testkey') }}"

-             keyid = "{{ (env == 'production')|ternary('9867c58f', 'd300e724') }}"

- 

-             [[consumer_config.koji_instances.primary.tags]]

-             from = "f35-modular-pending"

-             to = "f35-modular"

-             key = "{{ (env == 'production')|ternary('fedora-35', 'testkey') }}"

-             keyid = "{{ (env == 'production')|ternary('9867c58f', 'd300e724') }}"

-             type = "modular"

- 

-             [[consumer_config.koji_instances.primary.tags]]

-             from = "f35-modular-signing-pending"

-             to = "f35-modular-updates-testing-pending"

-             key = "{{ (env == 'production')|ternary('fedora-35', 'testkey') }}"

-             keyid = "{{ (env == 'production')|ternary('9867c58f', 'd300e724') }}"

-             type = "modular"

- 

              #epel8 modular tags

              [[consumer_config.koji_instances.primary.tags]]

              from = "epel8-modular-signing-pending"
@@ -473,35 +425,6 @@ 

              key = "{{ (env == 'production')|ternary('fedora-36', 'testkey') }}"

              keyid = "{{ (env == 'production')|ternary('38ab71f4', 'd300e724') }}"

              

-             [[consumer_config.koji_instances.primary.tags]]

-             from = "f35-openh264"

-             to = "f35-openh264"

-             key = "{{ (env == 'production')|ternary('fedora-35', 'testkey') }}"

-             keyid = "{{ (env == 'production')|ternary('9867c58f', 'd300e724') }}"

- 

-             # Side tags created by releng

- 

-             # f35-python

-             [[consumer_config.koji_instances.primary.tags]]

-             from = "f35-python"

-             to = "f35-python"

-             key = "{{ (env == 'production')|ternary('fedora-35', 'testkey') }}"

-             keyid = "{{ (env == 'production')|ternary('9867c58f', 'd300e724') }}"

- 

-             # f35-boost

-             [[consumer_config.koji_instances.primary.tags]]

-             from = "f35-boost"

-             to = "f35-boost"

-             key = "{{ (env == 'production')|ternary('fedora-35', 'testkey') }}"

-             keyid = "{{ (env == 'production')|ternary('9867c58f', 'd300e724') }}"

- 

-             # f35-kde

-             [[consumer_config.koji_instances.primary.tags]]

-             from = "f35-kde"

-             to = "f35-kde"

-             key = "{{ (env == 'production')|ternary('fedora-35', 'testkey') }}"

-             keyid = "{{ (env == 'production')|ternary('9867c58f', 'd300e724') }}"

- 

              # f38 resigning

              [[consumer_config.koji_instances.primary.tags]]

              from = "f38"

Build succeeded.

I reverted an host key thing in that file and broke this.

Can you rebase it?

oops I mistook Kevin's comment in IRC that my patch was wrong and he had a different idea versus it was a broken merge. I thought this had been closed. I will see if I can fix.

rebased onto 1d3e0fe

a year ago

Build succeeded.

I have rebased. Could I get review to see if this works?

OK don't look. Could someone tell me how I should have merged this correctly next time? :scream:

It looks like it's picked up all the changes since it was written. ;(

I'm sure there's a way to save it, but usually in this case I just nuke the entire branch and redo it. ;(

Pull-Request has been closed by smooge

a year ago
Metadata
Changes Summary 80
+2 -2
file changed
files/debuginfod/sysconfig.debuginfod
+1 -8
file changed
inventory/builders
+4 -9
file changed
inventory/group_vars/all
+2 -0
file changed
inventory/group_vars/builders
+2 -2
file changed
inventory/group_vars/buildvm_s390x_kvm
+1 -1
file changed
inventory/group_vars/checkcompose_stg
+0 -3
file changed
inventory/group_vars/openqa
+0 -3
file changed
inventory/group_vars/openqa_workers
+0 -3
file changed
inventory/group_vars/os_control
+0 -3
file changed
inventory/group_vars/os_control_stg
+4 -9
file changed
inventory/group_vars/staging
+3 -0
file changed
inventory/host_vars/buildvm-s390x-26.s390.fedoraproject.org
+3 -0
file changed
inventory/host_vars/buildvm-s390x-27.s390.fedoraproject.org
-3
file removed
inventory/host_vars/buildvm-s390x-28.s390.fedoraproject.org
-3
file removed
inventory/host_vars/buildvm-s390x-29.s390.fedoraproject.org
-3
file removed
inventory/host_vars/buildvm-s390x-30.s390.fedoraproject.org
-3
file removed
inventory/host_vars/buildvm-s390x-31.s390.fedoraproject.org
-3
file removed
inventory/host_vars/buildvm-s390x-32.s390.fedoraproject.org
-3
file removed
inventory/host_vars/buildvm-s390x-33.s390.fedoraproject.org
-3
file removed
inventory/host_vars/buildvm-s390x-34.s390.fedoraproject.org
-3
file removed
inventory/host_vars/buildvm-s390x-35.s390.fedoraproject.org
+1 -0
file changed
inventory/inventory
+2 -2
file changed
playbooks/check-for-updates.yml
+2 -2
file changed
playbooks/groups/people.yml
+7 -20
file changed
playbooks/include/proxies-certificates.yml
+1 -45
file changed
playbooks/include/proxies-websites.yml
+11 -0
file changed
playbooks/manual/communishift.yml
+19
file added
playbooks/manual/fas2discourse.yml
+0 -5
file changed
playbooks/openshift-apps/coreos-ostree-importer.yml
+0 -5
file changed
playbooks/openshift-apps/fedora-ostree-pruner.yml
+1 -0
file changed
playbooks/openshift-apps/koschei.yml
+1 -0
file changed
playbooks/openshift-apps/mdapi.yml
+0 -1
file changed
playbooks/openshift-apps/noggin-centos.yml
+1 -1
file changed
playbooks/openshift-apps/test-auth.yml
+3 -1
file changed
roles/base/templates/iptables/ip6tables
+5 -5
file changed
roles/basessh/templates/sshd_config
+0 -50
file changed
roles/bodhi2/backend/files/new-updates-sync
+1 -1
file changed
roles/bodhi2/backend/tasks/main.yml
+0 -4
file changed
roles/bodhi2/backend/templates/koji_sync_listener.toml
+1 -1
file changed
roles/bodhi2/base/templates/production.ini.j2
+0 -0
file changed
roles/collectd/base/files/selinux/fi-collectd.pp
+2 -1
file changed
roles/collectd/base/files/selinux/fi-collectd.te
+3 -4
file changed
roles/collectd/base/tasks/main.yml
+3 -0
file changed
roles/copr/backend/files/provision/provision_builder_tasks.yml
-2
file removed
roles/copr/base/files/systemd/oomd.conf.d/50-swap.conf
+7 -5
file changed
roles/copr/base/tasks/main.yml
+1 -1
file changed
roles/copr/dist_git/tasks/main.yml
+1 -2
file changed
roles/copr/frontend/files/cron.hourly/copr-frontend-optional
+3 -3
file changed
roles/download/tasks/main.yml
+1
file added
roles/fas2discourse/default/main.yml
+2
file added
roles/fas2discourse/tasks/administration-tasks.yml
+24
file added
roles/fas2discourse/tasks/create-keytab.yml
+0
file added
roles/fas2discourse/templates/main.yml
+2 -2
file changed
roles/fedmsg/gateway/slave/tasks/main.yml
+2 -2
file changed
roles/fedmsg/gateway/slave/templates/stunnel-conf.j2
+1 -1
file changed
roles/httpd/website/defaults/main.yml
+1 -1
file changed
roles/ipsilon/templates/configuration.conf
+0 -1
file changed
roles/koji_hub/templates/hub.conf.j2
+30 -0
file changed
roles/koji_hub/templates/koji-gc.conf.j2
+1 -1
file changed
roles/koji_hub/templates/kojihub.conf.j2
-28
file removed
roles/mbs/common/files/default-modules.production/platform-f35.yaml
+0 -1
file changed
roles/openqa/server/tasks/main.yml
+2 -2
file changed
roles/openshift-apps/fedora-ostree-pruner/templates/buildconfig.yml
+6 -2
file changed
roles/openshift-apps/fedora-ostree-pruner/templates/deploymentconfig.yml
+3 -3
file changed
roles/openshift-apps/fedora-ostree-pruner/templates/imagestream.yml
+0 -6
file changed
roles/openshift-apps/greenwave/templates/fedora.yaml
+8 -1
file changed
roles/openshift-apps/mdapi/files/cron.yml
+6 -0
file changed
roles/openshift-apps/mdapi/files/deploymentconfig.yml
+3 -2
file changed
roles/openshift-apps/mdapi/templates/buildconfig.yml
+10 -0
file changed
roles/openshift-apps/mdapi/templates/configmap.yml
+89
file added
roles/openshift-apps/mdapi/templates/myconfig.py
+18 -0
file changed
roles/openshift-apps/toddlers/templates/fedora-messaging.toml
+3 -3
file changed
roles/pagure/templates/0_pagure.conf
+6 -5
file changed
roles/people/tasks/main.yml
+3 -3
file changed
roles/people/templates/people.conf
+2 -2
file changed
roles/pkgdb-proxy/files/pkgdb-gnome-software-collections.json
+1 -1
file changed
roles/planet/templates/planet.conf
+2 -2
file changed
roles/releng/files/cloud-updates
+2 -2
file changed
roles/releng/files/container-updates
+0 -77
file changed
roles/robosignatory/templates/robosignatory.toml.j2