From 4e1a53b147f8909184ec357e140b1bf3331916e5 Mon Sep 17 00:00:00 2001
From: aikidouke <zachvatwork(a)gmail.com>
Date: Wed, 18 Nov 2015 13:43:59 -0500
Subject: [PATCH 6/6] added csi vars to buildppcle
---
inventory/group_vars/buildppcle | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/inventory/group_vars/buildppcle b/inventory/group_vars/buildppcle
index ce342a0..9b4f97d 100644
--- a/inventory/group_vars/buildppcle
+++ b/inventory/group_vars/buildppcle
@@ -29,3 +29,17 @@ sudoers: "{{ private }}/files/sudo/arm-releng-sudoers"
koji_server_url: "http://koji.fedoraproject.org/kojihub"
koji_weburl: "http://koji.fedoraproject.org/koji"
koji_topurl: "http://kojipkgs.fedoraproject.org/"
+
+# These variables are pushed into /etc/system_identification by the base role.
+# Groups and individual hosts should ovveride them with specific info.
+# See http://infrastructure.fedoraproject.org/csi/security-policy/
+
+csi_security_category: High
+csi_primary_contact: Fedora Admins - admin(a)fedoraproject.org
+csi_purpose: Koji service employees a set of virtual machines to build packages for the Fedora project. This group
+builds packages for ppcle architecture.
+csi_relationship: |
+ * Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
+ * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
+ * Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
+ * virtual instances
--
2.5.0
From 13093e6233ffd9b50c3d1b67a0f9729d9315f32c Mon Sep 17 00:00:00 2001
From: aikidouke <zachvatwork(a)gmail.com>
Date: Wed, 18 Nov 2015 13:43:48 -0500
Subject: [PATCH 5/6] added csi vars to buildppc64
---
inventory/group_vars/buildppc64 | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/inventory/group_vars/buildppc64 b/inventory/group_vars/buildppc64
index 939020f..a00a351 100644
--- a/inventory/group_vars/buildppc64
+++ b/inventory/group_vars/buildppc64
@@ -6,3 +6,17 @@ sudoers: "{{ private }}/files/sudo/buildsecondary-sudoers"
koji_server_url: "http://ppc.koji.fedoraproject.org/kojihub"
koji_weburl: "http://ppc.koji.fedoraproject.org/koji"
koji_topurl: "http://ppcpkgs.fedoraproject.org/"
+
+# These variables are pushed into /etc/system_identification by the base role.
+# Groups and individual hosts should ovveride them with specific info.
+# See http://infrastructure.fedoraproject.org/csi/security-policy/
+
+csi_security_category: High
+csi_primary_contact: Fedora Admins - admin(a)fedoraproject.org
+csi_purpose: Koji service employees a set of virtual machines to build packages for the Fedora project. This group
+builds packages for ppc64 architecture.
+csi_relationship: |
+ * Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
+ * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
+ * Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
+ * virtual instances
--
2.5.0
From 4ae95f97565b755cd0b6ea8bc29bde91e02a1344 Mon Sep 17 00:00:00 2001
From: aikidouke <zachvatwork(a)gmail.com>
Date: Wed, 18 Nov 2015 13:43:18 -0500
Subject: [PATCH 3/6] added csi vars to buildhw
---
inventory/group_vars/buildhw | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/inventory/group_vars/buildhw b/inventory/group_vars/buildhw
index ae54fda..b02731c 100644
--- a/inventory/group_vars/buildhw
+++ b/inventory/group_vars/buildhw
@@ -7,3 +7,17 @@ freezes: true
koji_server_url: "http://koji.fedoraproject.org/kojihub"
koji_weburl: "http://koji.fedoraproject.org/koji"
koji_topurl: "http://kojipkgs.fedoraproject.org/"
+
+# These variables are pushed into /etc/system_identification by the base role.
+# Groups and individual hosts should ovveride them with specific info.
+# See http://infrastructure.fedoraproject.org/csi/security-policy/
+
+csi_security_category: High
+csi_primary_contact: Fedora Admins - admin(a)fedoraproject.org
+csi_purpose: Koji service employees a set of virtual machines to build packages for the Fedora project. This group
+builds packages for aarch64 architecture.
+csi_relationship: |
+ * Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
+ * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
+ * Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
+ * virtual instances
--
2.5.0
From de3b2a013b0ae2f8a8ac9f781fd4753740cce9f6 Mon Sep 17 00:00:00 2001
From: aikidouke <zachvatwork(a)gmail.com>
Date: Wed, 18 Nov 2015 13:43:08 -0500
Subject: [PATCH 2/6] added csi vars to buildarm
---
inventory/group_vars/buildarm | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/inventory/group_vars/buildarm b/inventory/group_vars/buildarm
index 3090d56..43368b5 100644
--- a/inventory/group_vars/buildarm
+++ b/inventory/group_vars/buildarm
@@ -5,3 +5,17 @@ sudoers: "{{ private }}/files/sudo/arm-releng-sudoers"
koji_server_url: "http://koji.fedoraproject.org/kojihub"
koji_weburl: "http:/koji.fedoraproject.org/koji"
koji_topurl: "http://kojipkgs.fedoraproject.org/"
+
+# These variables are pushed into /etc/system_identification by the base role.
+# Groups and individual hosts should ovveride them with specific info.
+# See http://infrastructure.fedoraproject.org/csi/security-policy/
+
+csi_security_category: High
+csi_primary_contact: Fedora Admins - admin(a)fedoraproject.org
+csi_purpose: Koji service employees a set of virtual machines to build packages for the Fedora project. This group
+builds packages for arm architecture.
+csi_relationship: |
+ * Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
+ * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
+ * Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
+ * virtual instances
--
2.5.0
Infra -
Just a quick reminder, tomorrow is our first Infra Apprentice Workday.
Come join us if you can in #fedora-admin or #fedora-noc on IRC. For
more info see; https://fedoraproject.org/wiki/Workday_planning_page
Hope to see you soon,
Zach
#aikidouke
diff --git a/inventory/group_vars/torrent b/inventory/group_vars/torrent
index 896df92..2eaafe5 100644
--- a/inventory/group_vars/torrent
+++ b/inventory/group_vars/torrent
@@ -11,3 +11,6 @@ fas_client_groups:
sysadmin-web,torrentadmin,sysadmin-noc,torrent-cc,fi-apprenti
nrpe_procs_warn: 300
nrpe_procs_crit: 500
+csi_security_category: Low
+csi_primary_contact: Fedora Admins - admin(a)fedoraproject.org
+csi_purpose: Torrent master server for Fedora distribution
diff --git a/inventory/host_vars/torrent01.fedoraproject.orgb/inventory/host_vars/torrent01.fedoraproject.org
index e1a12ab..fccc264 100644
--- a/inventory/host_vars/torrent01.fedoraproject.org
+++ b/inventory/host_vars/torrent01.fedoraproject.org
@@ -15,3 +15,13 @@ postfix_group: vpn
vmhost: ibiblio03.fedoraproject.org
datacenter: ibiblio
+csi_relationship: |
+ torrent01 is the master torrent server for Fedora releases
+
+ * This host relies on:
+ - the virthost it's hosted on (ibiblio03.fedoraproject.org)
+ - FAS to authenticate users
+ - VPN connectivity
+
+ * Things that rely on this host:
+ - if this host is down, Fedora will lose a release distribution channel
Greetings.
I've been meaning to send this out for a while, but keep getting
sidetracked, so today I decided to sit down and get it sent. ;)
Right now, we have a process for new things that come into Fedora
Infrastructure called Request For Resources. This was a process started
long long ago, and revamped a few years ago. The idea of this process
was that it would involve existing infrastructure folks (you MUST get a
sponsor from sysadmin-main for any new RFR), that it would ensure
things like enough people know how the service works that we can
maintain it, that it's monitored, etc. Ie, supported by Fedora
Infrastructure.
This has I think worked pretty well in the past, but we are running
into a number of things in the last few years that this process just
doesn't work right with.
I don't want to suggest yet any solution to this beyond adjusting our
RFR process, but I will start the discussion with some questions:
* In the past we pretty much had a binary support status: supported or
not supported. We kind of added a middle area with jenkins:
supported, but you shouldn't depend on it, we will fix it when we
like. Should we have different support levels? How can we set users
expectation for what level the thing they care about is in?
* Should there be some requirements/expectations for a thing having a
fedoraproject.org dns entry? ie, there have been people who have
approched us for that for applications that they run, etc. How can we
explain to users when something like that is down who to contact?
* What level of support should we say cloud instances have?
* Adding some new service/application to an existing application,
should that follow the entire RFR process? or not since its just
adding to an existing application?
Any other thoughts or questions around this? I look forward to hearing
from folks. ;)
kevin