Re: Ansible question

[Kevin Fenzi]

On Wed, 28 Jan 2015 23:12:02 +0100
Maciej Lasyk docent@gmail.com wrote:

 Wouldn't it be more secure to use Vault here?

We don't actually use vault at all. It would require (as far as I know)
everyone to know the password. Instead we keep private stuff in private
vars files. 

kevin


pgpNPZ0XJIaP_.pgp
Description: OpenPGP digital signature
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Re: Ansible question

[Kevin Fenzi]

On Wed, 28 Jan 2015 16:57:56 +0100
Miroslav Suchý msu...@redhat.com wrote:

...snip...

 Is there way to mask the output (using -name or something) so the
 password is not print to console?


Sadly, I don't know of any way to do that. ;( 

It does sound like something that would be a nice feature... 
Perhaps it could be done in a handler?

kevin


pgpHeET5RdGlv.pgp
Description: OpenPGP digital signature
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Plan for tomorrow's Fedora Infrastructure meeting (2015-01-29)

[Kevin Fenzi]

The infrastructure team will be having it's weekly meeting tomorrow, 
2015-01-29 at 18:00 UTC in #fedora-meeting on the freenode network.

Suggested topics:

#topic New folks introductions and Apprentice tasks.

If any new folks want to give a quick one line bio or any apprentices
would like to ask general questions, they can do so in this part of the
meeting. Don't be shy!

#topic Applications status / discussion

Check in on status of our applications: pkgdb, fas, bodhi, koji,
community, voting, tagger, packager, dpsearch, etc. 
If there's new releases, bugs we need to work around or things to note. 

#topic Sysadmin status / discussion

Here we talk about sysadmin related happenings from the previous week,
or things that are upcoming. 

#topic nagios/alerts recap

Here we go over the last weeks alerts and see if we can find ways to
make it so they don't happen again. 

#topic Upcoming Tasks/Items 

https://apps.fedoraproject.org/calendar/list/infrastructure/

#topic Open Floor

Submit your agenda items, as tickets in the trac instance and send a 
note replying to this thread.

More info here:

https://fedoraproject.org/wiki/Infrastructure/Meetings#Meetings

Thanks

kevin


pgpMp3iwcA02p.pgp
Description: OpenPGP digital signature
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Re: Great Infrastructure projects status roundup

[Kevin Fenzi]

On Wed, 28 Jan 2015 18:01:59 +0100
Pierre-Yves Chibon pin...@pingoured.fr wrote:

 After some more fighting:
 is working:
 - shell access for admins
 - fedpkg clone, pull, push
   - Fails on package on which user does not have the ACLs
   - Fails on branches not allowed
   - Fails on branches named origin/...
 - cgit: http://pkgs.stg.fedoraproject.org/cgit/
 - fedpkg new-sources / sources
 
 All this with SELinux enabled.

Hurray!

 Fails:
 - fedmsg-genacls.sh
 - fedmsg messages sent after an upload
 Of the two, the last one at least is still SELinux related, no clue
 for the first one.
 
 So if we want to move it along, we can run w/o SELinux for the moment
 (as we do currently) or wait some more to debug/fix things.

I'd really like to have selinux enabled on it. 

If we can't figure it out, perhaps we could ask Dan Walsh to take a
look?

 
 Thanks to Mathieu and tfirg on #selinux for the great help on this
 work!

Yes, thanks for all your work on this... exciting to get nearer to
deploying. 

kevin


pgpeI7fvLEBT7.pgp
Description: OpenPGP digital signature
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Ansible question

[Miroslav Suchý]

I have this ansible snippet:
  - name: Create users
keystone_user:
  login_user=admin login_password={{ ADMIN_PASS }} 
login_tenant_name=admin
  user={{ item.name }}
  email={{ item.email }}
  tenant={{ item.tenant }}
  password={{ item.password }}
  state=present
with_items:
  - { name: kevin, email: 'ke...@fedoraproject.org', tenant: 
infrastructure, password: {{kevin_password}} }
  - { name: laxathom, email: 'laxat...@fedoraproject.org', tenant: 
infrastructure, password: {{laxathom_password}} }


But when I run it it produce:
TASK: [Create users] **
changed: [fed-cloud09.cloud.fedoraproject.org] = (item={'password': u'', 
'name': 'kevin', 'tenant':
'infrastructure', 'email': 'ke...@fedoraproject.org'})

changed: [fed-cloud09.cloud.fedoraproject.org] = (item={'password': u'', 
'name': 'laxathom', 'tenant':
'infrastructure', 'email': 'laxat...@fedoraproject.org'})



Is there way to mask the output (using -name or something) so the password is 
not print to console?
-- 
Miroslav Suchy, RHCE, RHCDS
Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Re: Ansible question

[Maciej Lasyk]

Wouldn't it be more secure to use Vault here?

Cheers,
Maciej Lasyk

GPG key ID: 4FED49C5
GPG public key: http://maciek.lasyk.info/gpg_maciej_lasyk.asc

On Wed, Jan 28, 2015 at 4:57 PM, Miroslav Suchý msu...@redhat.com wrote:

 I have this ansible snippet:
   - name: Create users
 keystone_user:
   login_user=admin login_password={{ ADMIN_PASS }}
 login_tenant_name=admin
   user={{ item.name }}
   email={{ item.email }}
   tenant={{ item.tenant }}
   password={{ item.password }}
   state=present
 with_items:
   - { name: kevin, email: 'ke...@fedoraproject.org', tenant:
 infrastructure, password: {{kevin_password}} }
   - { name: laxathom, email: 'laxat...@fedoraproject.org', tenant:
 infrastructure, password: {{laxathom_password}} }


 But when I run it it produce:
 TASK: [Create users]
 **
 changed: [fed-cloud09.cloud.fedoraproject.org] = (item={'password':
 u'', 'name': 'kevin', 'tenant':
 'infrastructure', 'email': 'ke...@fedoraproject.org'})

 changed: [fed-cloud09.cloud.fedoraproject.org] = (item={'password':
 u'', 'name': 'laxathom', 'tenant':
 'infrastructure', 'email': 'laxat...@fedoraproject.org'})



 Is there way to mask the output (using -name or something) so the password
 is not print to console?
 --
 Miroslav Suchy, RHCE, RHCDS
 Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys
 ___
 infrastructure mailing list
 infrastructure@lists.fedoraproject.org
 https://admin.fedoraproject.org/mailman/listinfo/infrastructure
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Re: Can not use mirrorlist with RHEL $releasever (bz#1175566)

[Miroslav Suchý]

On 01/08/2015 11:13 PM, Ian Wienand wrote:
 Hi,
 
 I'd like to try and find the/a person who could help out with [1].
 
 EPEL version updates are a fairly constant annoyance that causes
 issues with CI systems in upstream openstack when the version updates.
 
 As described in the bug, I'd really like to just setup a .repo file
 with
 
   
 http://mirrors.fedoraproject.org/mirrorlist?repo=epel-$releaseverarch=$basearch
 
 to install epel-release and things should just work to always grab
 the latest release.  However [6|7]Server, as given in $releasever by
 RHEL/Centos, don't work as a path.
 
 Any suggestions on how we can get this fixed?

I have been facing this in Copr and mock where you was unable to set additional 
repos for project because:
  
https://copr-be.cloud.fedoraproject.org/results/foo/bar/epel-$releasever-$basearch/
was expanded to {6,7}Server as you stated.

The only solution is to create your own maping and pass it to yum using 
--releasever
In mock I done it that e.g. /etc/mock/epel-6-x86_64.cfg has
  config_opts['releasever'] = '6'
and mock have this defined for every chroot config and pass this value to 
--releasever of yum/dnf.

This way you can actually pass to mockchain
--addrepo='https://copr-be.cloud.fedoraproject.org/results/foo/bar/epel-$releasever-$basearch/'
and it will work as expected.

I'm not sure if this will help you in your specific case thou.

-- 
Miroslav Suchy, RHCE, RHCDS
Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

[PATCH] Remove davej RH address from kernel-team emails

[Paul W. Frields]

---
 roles/fas_client/files/aliases.template|2 +-
 roles/fas_client/files/aliases.template.mailserver |2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/fas_client/files/aliases.template 
b/roles/fas_client/files/aliases.template
index fafc724..88ef746 100644
--- a/roles/fas_client/files/aliases.template
+++ b/roles/fas_client/files/aliases.template
@@ -260,7 +260,7 @@ fedora-docker-trusted: scollier,lsm5,mattdm
 fedoraqa-devel-admin: tflink,kparal,mkrizek
 
 # fedora kernel aliases
-kernel-team: da...@redhat.com,jwbo...@redhat.com,jfor...@redhat.com
+kernel-team: jwbo...@redhat.com,jfor...@redhat.com
 kernel-maint: kernel-ma...@redhat.com
 lvm-team: lvm-t...@redhat.com
 fedora-kernel-acpi: 
a...@linux.intel.com,len.br...@intel.com,mj...@srcf.ucam.org
diff --git a/roles/fas_client/files/aliases.template.mailserver 
b/roles/fas_client/files/aliases.template.mailserver
index a17aad7..4553039 100644
--- a/roles/fas_client/files/aliases.template.mailserver
+++ b/roles/fas_client/files/aliases.template.mailserver
@@ -264,7 +264,7 @@ fedora-docker-trusted: scollier,lsm5,mattdm
 fedoraqa-devel-admin: tflink,kparal,mkrizek
 
 # fedora kernel aliases
-kernel-team: da...@redhat.com,jwbo...@redhat.com,jfor...@redhat.com
+kernel-team: jwbo...@redhat.com,jfor...@redhat.com
 kernel-maint: kernel-ma...@redhat.com
 lvm-team: lvm-t...@redhat.com
 fedora-kernel-acpi: 
a...@linux.intel.com,len.br...@intel.com,mj...@srcf.ucam.org
-- 
1.7.2.1

___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Remove invalid address from kernel-team alias

[Paul W. Frields]

Since davej isn't at Red Hat any longer, this patch removes his old
address from the kernel-team alias.

___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Re: Great Infrastructure projects status roundup

[Pierre-Yves Chibon]

On Mon, Jan 26, 2015 at 04:12:31PM +0100, Mathieu Bridon wrote:
 On Fri, 2015-01-23 at 14:10 +0100, Pierre-Yves Chibon wrote:
  Since it seems to us that all is now fixed and ready, we are re-building the
  host from scratch and then all that is left is: testing :)
 
 So Pierre-Yves finished rebuilding the host and syncing some git data on
 it from prod.
 
 And things just work. :)
 
 So far, I've tested:
 
 * shell access for admins (works for Pierre-Yves from sysadmin-main,
   works for me from sysadmin-noc)
 
 * fedpkg clone/push, verifying that push fails for packages I don't
   have acls on
 
 * git push of branches starting with origin/, which is supposed to
   fail (https://fedorahosted.org/rel-eng/ticket/4071)
 
 Still needs to be tested:
 
 * cgit seems to not see any package
 
 * fedpkg sources / new-sources fail (looking into this right now)

After some more fighting:
is working:
- shell access for admins
- fedpkg clone, pull, push
  - Fails on package on which user does not have the ACLs
  - Fails on branches not allowed
  - Fails on branches named origin/...
- cgit: http://pkgs.stg.fedoraproject.org/cgit/
- fedpkg new-sources / sources

All this with SELinux enabled.

Fails:
- fedmsg-genacls.sh
- fedmsg messages sent after an upload
Of the two, the last one at least is still SELinux related, no clue for the
first one.

So if we want to move it along, we can run w/o SELinux for the moment (as we do
currently) or wait some more to debug/fix things.

Thanks to Mathieu and tfirg on #selinux for the great help on this work!

Pierre
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure