From 2d469380d3bf42b6dc0912a249b742eca33996ac Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Sep 30 2020 22:00:33 +0000 Subject: [PATCH 1/21] Add more files to the staging hosts so that they can be ansibled Move the bvmhost-p08-04 to stg and create an a64 one. Signed-off-by: Stephen Smoogen --- diff --git a/inventory/host_vars/bvmhost-a64-01.stg.iad2.fedoraproject.org b/inventory/host_vars/bvmhost-a64-01.stg.iad2.fedoraproject.org new file mode 100644 index 0000000..c26e6f7 --- /dev/null +++ b/inventory/host_vars/bvmhost-a64-01.stg.iad2.fedoraproject.org @@ -0,0 +1,9 @@ +--- +datacenter: iad2 + +br0_ip: 10.3.167.16 +br0_nm: 255.255.255.0 +br0_gw: 10.3.167.254 +br0_dev: eth1 + +dns: 10.3.163.33 diff --git a/inventory/host_vars/bvmhost-p08-01.stg.iad2.fedoraproject.org b/inventory/host_vars/bvmhost-p08-01.stg.iad2.fedoraproject.org new file mode 100644 index 0000000..88a3910 --- /dev/null +++ b/inventory/host_vars/bvmhost-p08-01.stg.iad2.fedoraproject.org @@ -0,0 +1,9 @@ +--- +datacenter: iad2 + +br0_ip: 10.3.167.15 +br0_nm: 255.255.255.0 +br0_gw: 10.3.167.254 +br0_dev: eth8 + +dns: 10.3.163.33 diff --git a/inventory/host_vars/bvmhost-p08-04.iad2.fedoraproject.org b/inventory/host_vars/bvmhost-p08-04.iad2.fedoraproject.org deleted file mode 100644 index 88a3910..0000000 --- a/inventory/host_vars/bvmhost-p08-04.iad2.fedoraproject.org +++ /dev/null @@ -1,9 +0,0 @@ ---- -datacenter: iad2 - -br0_ip: 10.3.167.15 -br0_nm: 255.255.255.0 -br0_gw: 10.3.167.254 -br0_dev: eth8 - -dns: 10.3.163.33 From 1969ab422a5f37d2f3cc8f068de01dafb36a4c48 Mon Sep 17 00:00:00 2001 From: Silvie Chlupova Date: Oct 01 2020 12:03:31 +0000 Subject: [PATCH 2/21] copr: set postfix_group variable --- diff --git a/inventory/group_vars/copr_aws b/inventory/group_vars/copr_aws index 9c7d320..95dd2f9 100644 --- a/inventory/group_vars/copr_aws +++ b/inventory/group_vars/copr_aws @@ -13,7 +13,7 @@ copr_backend_ips: ["34.227.76.72", "172.30.2.166"] keygen_host: "52.202.64.55" backend_base_url: "https://download.copr.fedorainfracloud.org" -postfix_maincf: "postfix/main.cf/main.cf.copr" +postfix_group: copr frontend_base_url: "https://copr.fedorainfracloud.org" dist_git_base_url: "copr-dist-git.fedorainfracloud.org" diff --git a/inventory/group_vars/copr_dev_aws b/inventory/group_vars/copr_dev_aws index fb78844..e41a9ce 100644 --- a/inventory/group_vars/copr_dev_aws +++ b/inventory/group_vars/copr_dev_aws @@ -14,7 +14,7 @@ copr_backend_ips: ["54.174.143.212", "172.30.2.128"] keygen_host: "18.209.1.14" backend_base_url: "https://download.copr-dev.fedorainfracloud.org" -postfix_maincf: "postfix/main.cf/main.cf.copr" +postfix_group: copr frontend_base_url: "https://copr-fe-dev.cloud.fedoraproject.org" dist_git_base_url: "copr-dist-git-dev.fedorainfracloud.org" From 7718395ae7cec62e6fd9164721c179d6d38f2d64 Mon Sep 17 00:00:00 2001 From: Rick Elrod Date: Oct 01 2020 12:03:31 +0000 Subject: [PATCH 3/21] websites: add python-gnupg for building key bundle and sanity-checking static/keys Signed-off-by: Rick Elrod --- diff --git a/roles/openshift-apps/websites/templates/buildconfig.yml b/roles/openshift-apps/websites/templates/buildconfig.yml index 955c839..eb7bd3e 100644 --- a/roles/openshift-apps/websites/templates/buildconfig.yml +++ b/roles/openshift-apps/websites/templates/buildconfig.yml @@ -19,6 +19,7 @@ spec: python3-flask-babel \ python3-flask-htmlmin \ python3-cssutils \ + python3-gnupg \ rubygem-sass \ babel \ python3-jinja2 \ From 7280aa86e027c882d3f7f127acd419d42adedeac Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Oct 01 2020 12:03:31 +0000 Subject: [PATCH 4/21] pagure: close all ports but 22 from batcave so we're sure people don't push changes while we do the migration Signed-off-by: Pierre-Yves Chibon --- diff --git a/inventory/group_vars/pagure b/inventory/group_vars/pagure index 5f6c22b..ebe732f 100644 --- a/inventory/group_vars/pagure +++ b/inventory/group_vars/pagure @@ -8,12 +8,14 @@ num_cpus: 16 # for systems that do not match the above - specify the same parameter in # the host_vars/$hostname file -tcp_ports: [ 22, 25, 80, 443, - 8442, 8443, 8444, 8445, - # Used for the eventsource - 8088, - # This is for the pagure public fedmsg relay - 9940] +#tcp_ports: [ 22, 25, 80, 443, +# 8442, 8443, 8444, 8445, +# # Used for the eventsource +# 8088, +# # This is for the pagure public fedmsg relay +# 9940] +# +custom_rules: [ '-A INPUT -p tcp -m tcp -s 38.145.60.16 --dport 22 -j ACCEPT' ] stunnel_service: "eventsource" stunnel_source_port: 8088 From c19f49575c8bd3c792cd29c07a191e40a77ffb8a Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Oct 01 2020 12:03:31 +0000 Subject: [PATCH 5/21] Revert "pagure: close all ports but 22 from batcave so we're sure people don't push changes while we do the migration" This reverts commit 3e792633ec4adbec086e9efad7fbcf3091ed4a56. --- diff --git a/inventory/group_vars/pagure b/inventory/group_vars/pagure index ebe732f..5f6c22b 100644 --- a/inventory/group_vars/pagure +++ b/inventory/group_vars/pagure @@ -8,14 +8,12 @@ num_cpus: 16 # for systems that do not match the above - specify the same parameter in # the host_vars/$hostname file -#tcp_ports: [ 22, 25, 80, 443, -# 8442, 8443, 8444, 8445, -# # Used for the eventsource -# 8088, -# # This is for the pagure public fedmsg relay -# 9940] -# -custom_rules: [ '-A INPUT -p tcp -m tcp -s 38.145.60.16 --dport 22 -j ACCEPT' ] +tcp_ports: [ 22, 25, 80, 443, + 8442, 8443, 8444, 8445, + # Used for the eventsource + 8088, + # This is for the pagure public fedmsg relay + 9940] stunnel_service: "eventsource" stunnel_source_port: 8088 From 6d63fdd22f9009e7aa81f69514b377c5f74feb26 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Oct 01 2020 12:03:31 +0000 Subject: [PATCH 6/21] pagure: adjust pagure's postfix configuration to rhel8 Signed-off-by: Pierre-Yves Chibon --- diff --git a/roles/base/files/postfix/main.cf/main.cf.vpn.pagure b/roles/base/files/postfix/main.cf/main.cf.vpn.pagure index 0b09a02..6eef4b4 100644 --- a/roles/base/files/postfix/main.cf/main.cf.vpn.pagure +++ b/roles/base/files/postfix/main.cf/main.cf.vpn.pagure @@ -688,3 +688,8 @@ message_size_limit = 20971520 non_smtpd_milters = unix:/var/run/pagure/paguresock smtpd_milters = unix:/var/run/pagure/paguresock + +# The following are needed for postfix-3 +smtpd_relay_restrictions = ${{$compatibility_level} < {1} ? {} :{permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination}} +compatibility_level = 2 + From c57052ae0428934128d9b270c33903d95e749c3b Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Oct 01 2020 12:03:31 +0000 Subject: [PATCH 7/21] pagure: enable the httpd_execmem selinux boolean Signed-off-by: Pierre-Yves Chibon --- diff --git a/roles/pagure/frontend/tasks/main.yml b/roles/pagure/frontend/tasks/main.yml index d62713b..1f25330 100644 --- a/roles/pagure/frontend/tasks/main.yml +++ b/roles/pagure/frontend/tasks/main.yml @@ -539,6 +539,15 @@ - web - pagure +- name: set sebooleans so pygit2 can read the git repos + seboolean: name=httpd_execmem + state=true + persistent=true + tags: + - selinux + - web + - pagure + # Ensure all the services are up and running From 9c32fc5c7c5e9da6c892a280b5ca2241b4c3b6c5 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Oct 01 2020 12:03:31 +0000 Subject: [PATCH 8/21] pagure: enable the nis_enabled selinux boolean Signed-off-by: Pierre-Yves Chibon --- diff --git a/roles/pagure/frontend/tasks/main.yml b/roles/pagure/frontend/tasks/main.yml index 1f25330..35c292d 100644 --- a/roles/pagure/frontend/tasks/main.yml +++ b/roles/pagure/frontend/tasks/main.yml @@ -548,6 +548,15 @@ - web - pagure +- name: set sebooleans so ssh can retrieve access info from apache + seboolean: name=nise_enabled + state=true + persistent=true + tags: + - selinux + - web + - pagure + # Ensure all the services are up and running From 9c91658d0aeffdae1fdda630d2a449560a09cf8a Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Oct 01 2020 12:03:31 +0000 Subject: [PATCH 9/21] pagure: update the selinux configuration for pagure Split all the selinux tasks in a different file so it's easier to read/find. Adjust the custom policy based on our latest findings. Build and compile the policy directly on the host. Signed-off-by: Pierre-Yves Chibon --- diff --git a/roles/pagure/frontend/files/selinux/pagure.fc b/roles/pagure/frontend/files/selinux/pagure.fc deleted file mode 100644 index e69de29..0000000 --- a/roles/pagure/frontend/files/selinux/pagure.fc +++ /dev/null diff --git a/roles/pagure/frontend/files/selinux/pagure.if b/roles/pagure/frontend/files/selinux/pagure.if deleted file mode 100644 index 3eb6a30..0000000 --- a/roles/pagure/frontend/files/selinux/pagure.if +++ /dev/null @@ -1 +0,0 @@ -## diff --git a/roles/pagure/frontend/files/selinux/pagure.pp b/roles/pagure/frontend/files/selinux/pagure.pp deleted file mode 100644 index a6248e7..0000000 Binary files a/roles/pagure/frontend/files/selinux/pagure.pp and /dev/null differ diff --git a/roles/pagure/frontend/files/selinux/pagure.te b/roles/pagure/frontend/files/selinux/pagure.te index d661e61..1352e85 100644 --- a/roles/pagure/frontend/files/selinux/pagure.te +++ b/roles/pagure/frontend/files/selinux/pagure.te @@ -1,11 +1,42 @@ -module pagure 1.0; +module pagure 1.1; require { - type httpd_t; - type gitosis_var_lib_t; + type var_t; + type var_log_t; + type http_port_t; + type httpd_t; + type postfix_smtpd_t; + type postfix_cleanup_t; + type ldconfig_exec_t; + type gitosis_var_lib_t; + type httpd_log_t; + type var_run_t; class dir { add_name remove_name write }; - class file { create link setattr unlink write }; + class file { execute execute_no_trans getattr map open read rename unlink }; + class sock_file write; + class process execmem; } allow httpd_t gitosis_var_lib_t:dir { add_name remove_name write }; allow httpd_t gitosis_var_lib_t:file { create link setattr unlink write }; + +#============= httpd_t ============== + +#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' +allow httpd_t gitosis_var_lib_t:file map; +allow httpd_t httpd_log_t:file { rename unlink }; + +#!!!! This avc is allowed in the current policy +allow httpd_t self:process execmem; +allow httpd_t var_log_t:file { open rename }; + +#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' +allow httpd_t var_t:file map; +allow httpd_t var_t:file { getattr open read }; + +#============= postfix_cleanup_t ============== +allow postfix_cleanup_t var_run_t:sock_file write; + +#============= postfix_smtpd_t ============== +allow postfix_smtpd_t var_run_t:sock_file write; + diff --git a/roles/pagure/frontend/tasks/main.yml b/roles/pagure/frontend/tasks/main.yml index 35c292d..d0f9485 100644 --- a/roles/pagure/frontend/tasks/main.yml +++ b/roles/pagure/frontend/tasks/main.yml @@ -472,91 +472,9 @@ tags: - pagure -- name: check the selinux context of the git repo directory - command: matchpathcon /srv/git - register: distgitcontext - check_mode: no - changed_when: false - tags: - - config - - pagure - - selinux - -- name: set the SELinux policy for the distgit root directory - command: semanage fcontext -a -t gitosis_var_lib_t "/srv/git(/.*)?" - when: distgitcontext.stdout.find('gitosis_var_lib_t') == -1 - tags: - - config - - pagure - - selinux - -- name: check the selinux context of the releases directory - command: matchpathcon /var/www/releases - register: distgitcontext - check_mode: no - changed_when: false - tags: - - config - - pagure - - selinux - -# Note: On Fedora its httpd_sys_content_rw_t - Don't we love confusions? -- name: set the SELinux policy for the releases directory - command: semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/releases(/.*)?" - when: distgitcontext.stdout.find('httpd_sys_rw_content_t') == -1 - tags: - - config - - pagure - - selinux - -- name: copy over our custom selinux module - copy: src=selinux/pagure.pp dest=/usr/local/share/pagure.pp - register: selinux_module - tags: - - pagure - -- name: install our custom selinux module - command: semodule -i /usr/local/share/pagure.pp - when: selinux_module is changed - tags: - - pagure - -- name: set sebooleans so pagure can talk to the network (db + redis) - seboolean: name=httpd_can_network_connect - state=true - persistent=true - tags: - - selinux - - web - - pagure - -- name: set sebooleans so apache can send emails - seboolean: name=httpd_can_sendmail - state=true - persistent=true - tags: - - selinux - - web - - pagure - -- name: set sebooleans so pygit2 can read the git repos - seboolean: name=httpd_execmem - state=true - persistent=true +- import_tasks: selinux.yml tags: - selinux - - web - - pagure - -- name: set sebooleans so ssh can retrieve access info from apache - seboolean: name=nise_enabled - state=true - persistent=true - tags: - - selinux - - web - - pagure - # Ensure all the services are up and running diff --git a/roles/pagure/frontend/tasks/selinux.yml b/roles/pagure/frontend/tasks/selinux.yml new file mode 100644 index 0000000..d38c86d --- /dev/null +++ b/roles/pagure/frontend/tasks/selinux.yml @@ -0,0 +1,106 @@ +--- +- name: check the selinux context of the git repo directory + command: matchpathcon /srv/git + register: distgitcontext + check_mode: no + changed_when: false + tags: + - config + - pagure + - selinux + +- name: set the SELinux policy for the distgit root directory + command: semanage fcontext -a -t gitosis_var_lib_t "/srv/git(/.*)?" + when: distgitcontext.stdout.find('gitosis_var_lib_t') == -1 + tags: + - config + - pagure + - selinux + +- name: check the selinux context of the releases directory + command: matchpathcon /var/www/releases + register: distgitcontext + check_mode: no + changed_when: false + tags: + - config + - pagure + - selinux + +# Note: On Fedora its httpd_sys_content_rw_t - Don't we love confusions? +- name: set the SELinux policy for the releases directory + command: semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/releases(/.*)?" + when: distgitcontext.stdout.find('httpd_sys_rw_content_t') == -1 + tags: + - config + - pagure + - selinux + +- name: copy over our custom selinux module + copy: src=selinux/pagure.te dest=/usr/local/share/pagure.te + register: selinux_module + tags: + - config + - pagure + - selinux + +- name: Build our custom selinux module + command: checkmodule -M -m -o /usr/local/share/pagure.mod /usr/local/share/pagure.te + when: selinux_module is changed + tags: + - config + - pagure + - selinux + +- name: Compile our custom selinux module + command: semodule_package -o /usr/local/share/pagure.pp -m /usr/local/share/pagure.mod + when: selinux_module is changed + tags: + - config + - pagure + - selinux + +- name: install our custom selinux module + command: semodule -i /usr/local/share/pagure.pp + when: selinux_module is changed + tags: + - config + - pagure + - selinux + +- name: set sebooleans so pagure can talk to the network (db + redis) + seboolean: name=httpd_can_network_connect + state=true + persistent=true + tags: + - config + - selinux + - pagure + +- name: set sebooleans so apache can send emails + seboolean: name=httpd_can_sendmail + state=true + persistent=true + tags: + - config + - selinux + - pagure + +- name: set sebooleans so pygit2 can read the git repos + seboolean: name=httpd_execmem + state=true + persistent=true + tags: + - config + - selinux + - pagure + +- name: set sebooleans so ssh can retrieve access info from apache + seboolean: name=nise_enabled + state=true + persistent=true + tags: + - config + - selinux + - pagure + From 15eb23033a69cdd1b0ec9e378279fa8820d7be30 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Oct 01 2020 12:03:31 +0000 Subject: [PATCH 10/21] pagure: Add missing permission in the pagure policy Signed-off-by: Pierre-Yves Chibon --- diff --git a/roles/pagure/frontend/files/selinux/pagure.te b/roles/pagure/frontend/files/selinux/pagure.te index 1352e85..72fdac2 100644 --- a/roles/pagure/frontend/files/selinux/pagure.te +++ b/roles/pagure/frontend/files/selinux/pagure.te @@ -11,8 +11,8 @@ require { type gitosis_var_lib_t; type httpd_log_t; type var_run_t; - class dir { add_name remove_name write }; - class file { execute execute_no_trans getattr map open read rename unlink }; + class dir { add_name remove_name write }; + class file { create link setattr write execute execute_no_trans getattr map open read rename unlink }; class sock_file write; class process execmem; } From 6a9f6e29e17b9ea5cf245463e7fbb95faeefb864 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Oct 01 2020 12:03:31 +0000 Subject: [PATCH 11/21] pagure: fix typo in selinux boolean Signed-off-by: Pierre-Yves Chibon --- diff --git a/roles/pagure/frontend/tasks/selinux.yml b/roles/pagure/frontend/tasks/selinux.yml index d38c86d..0e17581 100644 --- a/roles/pagure/frontend/tasks/selinux.yml +++ b/roles/pagure/frontend/tasks/selinux.yml @@ -96,7 +96,7 @@ - pagure - name: set sebooleans so ssh can retrieve access info from apache - seboolean: name=nise_enabled + seboolean: name=nis_enabled state=true persistent=true tags: From eb65dada29c7640216d3fa7c87e45f2d2c2cf077 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Oct 01 2020 12:03:31 +0000 Subject: [PATCH 12/21] pagure: adjust the selinux policy some more Signed-off-by: Pierre-Yves Chibon --- diff --git a/roles/pagure/frontend/files/selinux/pagure.te b/roles/pagure/frontend/files/selinux/pagure.te index 72fdac2..6579829 100644 --- a/roles/pagure/frontend/files/selinux/pagure.te +++ b/roles/pagure/frontend/files/selinux/pagure.te @@ -1,20 +1,21 @@ module pagure 1.1; require { - type var_t; - type var_log_t; - type http_port_t; - type httpd_t; - type postfix_smtpd_t; - type postfix_cleanup_t; - type ldconfig_exec_t; type gitosis_var_lib_t; type httpd_log_t; + type httpd_t; + type http_port_t; + type ldconfig_exec_t; + type postfix_cleanup_t; + type postfix_smtpd_t; + type var_log_t; type var_run_t; + type var_t; class dir { add_name remove_name write }; class file { create link setattr write execute execute_no_trans getattr map open read rename unlink }; - class sock_file write; class process execmem; + class sock_file write; + class tcp_socket name_connect; } allow httpd_t gitosis_var_lib_t:dir { add_name remove_name write }; @@ -40,3 +41,12 @@ allow postfix_cleanup_t var_run_t:sock_file write; #============= postfix_smtpd_t ============== allow postfix_smtpd_t var_run_t:sock_file write; +#============= sshd_t ============== + +#!!!! This avc is allowed in the current policy +allow sshd_t http_port_t:tcp_socket name_connect; + +#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' +allow sshd_t ldconfig_exec_t:file map; +allow sshd_t ldconfig_exec_t:file { execute execute_no_trans open read }; + From c2e246b33a3232fca76f082090cd7fbac4c3cce4 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Oct 01 2020 12:03:31 +0000 Subject: [PATCH 13/21] pagure: missed a type in the selinux policy... Signed-off-by: Pierre-Yves Chibon --- diff --git a/roles/pagure/frontend/files/selinux/pagure.te b/roles/pagure/frontend/files/selinux/pagure.te index 6579829..020e9e6 100644 --- a/roles/pagure/frontend/files/selinux/pagure.te +++ b/roles/pagure/frontend/files/selinux/pagure.te @@ -8,6 +8,7 @@ require { type ldconfig_exec_t; type postfix_cleanup_t; type postfix_smtpd_t; + type sshd_t; type var_log_t; type var_run_t; type var_t; From d55978c755eaa0ae6ff9c0d8c5ceb6e38d98c2c7 Mon Sep 17 00:00:00 2001 From: Mark O'Brien Date: Oct 01 2020 12:03:31 +0000 Subject: [PATCH 19/21] update readme to reference ansible hosted on pagure --- diff --git a/README.md b/README.md index 670f6b2..9912c9e 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,9 @@ Fedora Infrastructure Welcome! This is the Fedora Infrastructure Ansible Pagure project. +Pull requests and forks can be made against this repository hosted +at https://pagure.io/fedora-infra/ansible + This repository is also mirrored for production runs to https://infrastructure.fedoraproject.org/infra/ansible/ but this is the working repository where changes are made. From 95c26bdf9623565a4950262883792955a0599e09 Mon Sep 17 00:00:00 2001 From: Mark O'Brien Date: Oct 01 2020 12:03:31 +0000 Subject: [PATCH 21/21] pagure - remove refs to sslv1/2 as no longer supported --- diff --git a/roles/pagure/frontend/templates/stunnel-conf.j2 b/roles/pagure/frontend/templates/stunnel-conf.j2 index 3f97e5b..2d898cf 100644 --- a/roles/pagure/frontend/templates/stunnel-conf.j2 +++ b/roles/pagure/frontend/templates/stunnel-conf.j2 @@ -9,8 +9,6 @@ pid = /var/run/stunnel.pid [{{ stunnel_service }}] sslVersion = all -options = NO_SSLv2 options = NO_SSLv3 -options = NO_TLSv1 accept = {{ stunnel_source_port }} connect = {{ stunnel_destination_port }}