Merge pull request #1023 from edx/jarv/rc-injera

Jarv/rc injera

AUTHORS

@@ -17,3 +17,15 @@ Kevin Luo <kevluo@edx.org>
 Carson Gee <x@carsongee.com>
 Xavier Antoviaque <xavier@antoviaque.org>
 James Tauber <jtauber@jtauber.com>
+Bertrand Marron <bertrand.marron@ionis-group.com>
+Han Su Kim <hkim823@gmail.com>
+Ned Batchelder <ned@nedbatchelder.com>
+Dave St.Germain <dstgermain@edx.org>
+Gabe Mulley <gabe@edx.org>
+Greg Price <gprice@edx.org>
+William Desloge <william.desloge@ionis-group.com>
+Valera Rozuvan <valera.rozuvan@gmail.com>
+Ker Ruben Ramos <xdiscent@gmail.com>
+Fred Smith <derf@edx.org>
+Wang Peifeng <pku9104038@hotmail.com>
+Ray Hooker <ray.hooker@gmail.com>

cloudformation_templates/edx-admin-reference-architecture.json

@@ -99,10 +99,20 @@
       "Type":"Number",
       "Default":"8090"
     },
-    "MongoServicePort":{
-      "Description":"The TCP port for the deployment mongo server",
-      "Type":"Number",
-      "Default":"10001"
+    "VPCSubnet":{
+      "Description":"The subnet CIDR for the whole VPC.",
+      "Type":"String",
+      "Default":"10.254.0.0/16"
+    },
+    "PrivateSubnet":{
+      "Description":"The subnet CIDR for the private VPC subnet.",
+      "Type":"String",
+      "Default":"10.254.0.0/24"
+    },
+    "PublicSubnet":{
+      "Description":"The subnet CIDR for the public VPC subnet.",
+      "Type":"String",
+      "Default":"10.254.1.0/24"
     }
   },
   "Mappings":{
@@ -141,11 +151,6 @@
       "ap-northeast-1":  { "AMI":"ami-14d86d15" },
       "sa-east-1":       { "AMI":"ami-0439e619" }
     },
-    "SubnetConfig":{
-      "VPC":             { "CIDR":"10.0.0.0/16" },
-      "Public01":        { "CIDR":"10.0.0.0/24" },
-      "Admin":          { "CIDR":"10.0.185.0/24" }
-    },
     "MapRegionsToAvailZones":{
       "us-east-1":       { "AZone2":"us-east-1d",      "AZone0":"us-east-1b",      "AZone1":"us-east-1c" },
       "us-west-1":       { "AZone0":"us-west-1a",      "AZone2":"us-west-1b",      "AZone1":"us-west-1c" },
@@ -163,7 +168,7 @@
       "Properties":{
         "EnableDnsSupport" : "true",
         "EnableDnsHostnames" : "true",
-        "CidrBlock":"10.0.0.0/16",
+        "CidrBlock": { "Ref": "VPCSubnet" },
         "InstanceTenancy":"default"
       }
     },
@@ -173,13 +178,7 @@
         "VpcId":{
           "Ref":"AdminVPC"
         },
-        "CidrBlock":{
-          "Fn::FindInMap":[
-            "SubnetConfig",
-            "Public01",
-            "CIDR"
-          ]
-        },
+        "CidrBlock":{ "Ref": "PublicSubnet" },
         "AvailabilityZone":{
           "Fn::FindInMap":[
             "MapRegionsToAvailZones",
@@ -201,13 +200,7 @@
         "VpcId":{
           "Ref":"AdminVPC"
         },
-        "CidrBlock":{
-          "Fn::FindInMap":[
-            "SubnetConfig",
-            "Admin",
-            "CIDR"
-          ]
-        },
+        "CidrBlock":{ "Ref": "PrivateSubnet" },
         "AvailabilityZone":{
           "Fn::FindInMap":[
             "MapRegionsToAvailZones",
@@ -589,12 +582,6 @@
             "FromPort":"443",
             "ToPort":"443",
             "CidrIp":"0.0.0.0/0"
-          },
-          {
-            "IpProtocol":"tcp",
-            "FromPort":{ "Ref": "MongoServicePort" },
-            "ToPort":{ "Ref": "MongoServicePort" },
-            "CidrIp":"0.0.0.0/0"
           }
         ],
         "SecurityGroupEgress":[
@@ -617,12 +604,6 @@
             "FromPort":"443",
             "ToPort":"443",
             "CidrIp":"0.0.0.0/0"
-          },
-          {
-            "IpProtocol":"tcp",
-            "FromPort":{ "Ref": "MongoServicePort" },
-            "ToPort":{ "Ref": "MongoServicePort" },
-            "CidrIp":"0.0.0.0/0"
           }
         ]
       }

playbooks/ansible.cfg

@@ -6,4 +6,4 @@
 
 jinja2_extensions=jinja2.ext.do
 host_key_checking = False
-roles_path=../../../ansible-roles
+roles_path=../../ansible-roles/roles:../../ansible-private/roles:../../ansible-roles/

playbooks/edx-east/ansible.cfg

@@ -6,4 +6,4 @@
 
 jinja2_extensions=jinja2.ext.do
 host_key_checking=False
-roles_path=../../../ansible-roles
+roles_path=../../../ansible-roles/roles:../../../ansible-private/roles:../../../ansible-roles/

playbooks/edx-east/commoncluster.yml

-# ansible-playbook -i ec2.py commoncluster.yml --extra-vars "deployment=edge env=stage" -e@/path/to/vars/env-deployment.yml -T 30 --list-hosts
+# ansible-playbook -i ec2.py commoncluster.yml --limit tag_Name_stage-edx-commoncluster -e@/path/to/vars/env-deployment.yml -T 30 --list-hosts
 
-- hosts: tag_play_commoncluster:&tag_environment_{{ env }}:&tag_deployment_{{ deployment }}
+- hosts: all
   sudo: True
   serial: 1
+  vars:
+    ENABLE_DATADOG: False
+    ENABLE_SPLUNKFORWARDER: False
+    ENABLE_NEWRELIC: False
   roles:
+    - aws
+    - role: nginx
+      nginx_sites:
+      - xqueue
+    - role: xqueue
+    - role: datadog
+      when: ENABLE_DATADOG
+    - role: splunkforwarder
+      when: ENABLE_SPLUNKFORWARDER
+    - role: newrelic
+      when: ENABLE_NEWRELIC
     - oraclejdk
     - elasticsearch
     - rabbitmq
@@ -13,7 +28,9 @@
 #
 # In order to reconfigure the host resolution we are issuing a
 # reboot.
-- hosts: tag_play_commoncluster:&tag_environment_{{ env }}:&tag_deployment_{{ deployment }}
+# TODO: We should probably poll to ensure the host comes back before moving
+# to the next host so that we don't reboot all of the servers simultaneously
+- hosts: all
   sudo: True
   serial: 1
   vars:
@@ -21,3 +38,5 @@
   tasks:
     - name: reboot
       command: /sbin/shutdown -r now "Reboot is triggered by Ansible"
+      when: reboot
+      tags: reboot

playbooks/edx-east/create_dbs.yml

@@ -83,18 +83,49 @@
         login_host: "{{ item.db_host }}"
         login_user: "{{ item.db_user }}"
         login_password: "{{ item.db_pass }}"
+        append_privs: yes
         host: '%'
+      when: item.db_user != 'None'
       with_items:
         - db_host: "{{ EDXAPP_MYSQL_HOST|default('None') }}"
+          db_name: "{{ EDXAPP_MYSQL_DB_NAME|default('None') }}"
           db_user: "{{ edxapp_db_root_user }}"
           db_pass: "{{ db_root_pass }}"
         - db_host: "{{ XQUEUE_MYSQL_HOST|default('None') }}"
+          db_name: "{{ XQUEUE_MYSQL_DB_NAME|default('None') }}"
           db_user: "{{ xqueue_db_root_user }}"
           db_pass: "{{ db_root_pass }}"
         - db_host: "{{ ORA_MYSQL_HOST|default('None') }}"
+          db_name: "{{ ORA_MYSQL_DB_NAME|default('None') }}"
           db_user: "{{ ora_db_root_user }}"
           db_pass: "{{ db_root_pass }}"
 
+    - name: assign mysql user permissions for migrate user
+      mysql_user:
+        name: "{{ COMMON_MYSQL_MIGRATE_USER }}"
+        priv: "{{ item.db_name }}.*:SELECT,INSERT,UPDATE,DELETE,ALTER,CREATE,DROP,INDEX"
+        password: "{{ COMMON_MYSQL_MIGRATE_PASS }}"
+        login_host: "{{ item.db_host }}"
+        login_user: "{{ item.db_user }}"
+        login_password: "{{ item.db_pass }}"
+        append_privs: yes
+        host: '%'
+      when: item.db_user != 'None'
+      with_items:
+        - db_host: "{{ EDXAPP_MYSQL_HOST|default('None') }}"
+          db_name: "{{ EDXAPP_MYSQL_DB_NAME|default('None') }}"
+          db_user: "{{ edxapp_db_root_user }}"
+          db_pass: "{{ db_root_pass }}"
+        - db_host: "{{ XQUEUE_MYSQL_HOST|default('None') }}"
+          db_name: "{{ XQUEUE_MYSQL_DB_NAME|default('None') }}"
+          db_user: "{{ xqueue_db_root_user }}"
+          db_pass: "{{ db_root_pass }}"
+        - db_host: "{{ ORA_MYSQL_HOST|default('None') }}"
+          db_name: "{{ ORA_MYSQL_DB_NAME|default('None') }}"
+          db_user: "{{ ora_db_root_user }}"
+          db_pass: "{{ db_root_pass }}"
+
+
     - name: assign mysql user permissions for admin user
       mysql_user:
         name: "{{ COMMON_MYSQL_ADMIN_USER }}"
@@ -103,7 +134,9 @@
         login_host: "{{ item.db_host }}"
         login_user: "{{ item.db_user }}"
         login_password: "{{ item.db_pass }}"
+        append_privs: yes
         host: '%'
+      when: item.db_user != 'None'
       with_items:
         - db_host: "{{ EDXAPP_MYSQL_HOST|default('None') }}"
           db_user: "{{ edxapp_db_root_user }}"

playbooks/edx-east/edx_continuous_integration.yml

@@ -18,6 +18,7 @@
       - ora
       - xqueue
       - xserver
+      - certs
       nginx_default_sites:
       - lms
     - edxlocal

playbooks/edx-east/jenkins_admin.yml

@@ -3,10 +3,19 @@
   hosts: all
   sudo: True
   gather_facts: True
+  vars:
+    ENABLE_DATADOG: False
+    ENABLE_SPLUNKFORWARDER: False
+    ENABLE_NEWRELIC: False
   roles:
-  - aws
-  - edx_ansible
-  - user
-  - jenkins_admin
-  - hotg
-  - newrelic
+    - aws
+    - edx_ansible
+    - user
+    - jenkins_admin
+    - hotg
+    - role: datadog
+      when: ENABLE_DATADOG
+    - role: splunkforwarder
+      when: ENABLE_SPLUNKFORWARDER
+    - role: newrelic
+      when: ENABLE_NEWRELIC

playbooks/edx-east/jenkins_worker.yml

@@ -8,6 +8,12 @@
   gather_facts: True
   vars:
     mongo_enable_journal: False
+  vars_files:
+    - roles/edxapp/defaults/main.yml
+    - roles/ora/defaults/main.yml
+    - roles/xqueue/defaults/main.yml
+    - roles/xserver/defaults/main.yml
+    - roles/forum/defaults/main.yml
   roles:
     - common
     - edxlocal

playbooks/edx-east/nginx_redirect.yml

+# Example ansible-playbook -i redirect.example.com -e@/path/to/secure/var/file.yml
+#
+# the secure var file will need to have the following vars defined:
+#
+# NGINX_ENABLE_SSL
+# NGINX_SSL_CERTIFICATE
+# NGINX_SSL_KEY
+# # for the redirects use $scheme://example.com to match the protocol
+#
+# secure vars example:
+#  # Vars for setting up the nginx redirect instance
+#  NGINX_ENABLE_SSL: True
+#  NGINX_SSL_CERTIFICATE: '../../../example-secure/ssl/example.com.crt'
+#  NGINX_SSL_KEY: '../../../example-secure/ssl/example.com.key'
+#  nginx_redirects:
+#  - server_name: nginx-redirect.example.edx.org
+#    redirect: "http://www.example.com"
+#  - server_name: example.com
+#    redirect: "http://www.example.com"
+#    default: true
+#
+#
+#
+# - ...
+- name: utility play to setup an nginx redirect
+  hosts: all
+  sudo: True
+  gather_facts: True
+  roles:
+    - role: nginx
+      nginx_sites:
+      - nginx_redirect

playbooks/edx-east/ora2.yml

+# Deploy a specific version of edx-ora2 and re-run migrations
+# edx-ora2 is already included in the requirements for edx-platform,
+# but we need to override that version when deploying to
+# the continuous integration server for testing ora2 changes.
+
+- name: Update edx-ora2
+  hosts: all
+  sudo: True
+  gather_facts: True
+  vars:
+    - edxapp_venv_dir: "/edx/app/edxapp/venvs/edxapp"
+    - edxapp_code_dir: "/edx/app/edxapp/edx-platform"
+    - edxapp_deploy_path: "{{ edxapp_venv_dir }}/bin:{{ edxapp_code_dir }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+    - edxapp_user: "edxapp"
+    - edxapp_mysql_user: "migrate"
+    - edxapp_mysql_password: "password"
+    - supervisorctl_path: "/edx/bin/supervisorctl"
+    - ora2_version: "master"
+    - ora2_pip_req: "git+https://github.com/edx/edx-ora2.git@{{ ora2_version }}#egg=edx-ora2"
+
+  tasks:
+    - name: install edx-ora2
+      shell: >
+        {{ edxapp_venv_dir }}/bin/pip install -e {{ ora2_pip_req }}
+        chdir={{ edxapp_code_dir }}
+      environment:
+        PATH: "{{ edxapp_deploy_path }}"
+      sudo_user: "{{ edxapp_user }}"
+      notify:
+        - "restart edxapp"
+
+    - name: syncdb and migrate
+      shell: >
+        {{ edxapp_venv_dir }}/bin/python manage.py lms syncdb --migrate --noinput --settings=aws_migrate
+        chdir={{ edxapp_code_dir }}
+      environment:
+        DB_MIGRATION_USER: "{{ edxapp_mysql_user }}"
+        DB_MIGRATION_PASS: "{{ edxapp_mysql_password }}"
+      notify:
+        - "restart edxapp"
+
+  handlers:
+    - name: restart edxapp
+      shell: "{{ supervisorctl_path }} restart edxapp:{{ item }}"
+      with_items:
+        - lms
+        - cms

playbooks/edx-east/rabbitmq.yml

 - name: Deploy rabbitmq
   hosts: all
   sudo: True
-  gather_facts: False
+  # The rabbitmq role depends on
+  # ansible_default_ipv4 so
+  # gather_facts must be set to True
+  gather_facts: True
   roles:
     - aws
     - rabbitmq

playbooks/edx_sandbox.yml

@@ -38,7 +38,7 @@
     - forum
     - { role: "xqueue", update_users: True }
     - ora
-    - discern
+    - certs
     - edx_ansible
     - role: datadog
       when: ENABLE_DATADOG

playbooks/roles/analytics-server/tasks/deploy.yml

@@ -25,6 +25,7 @@
 - name: checkout code
   git:
     dest={{ as_code_dir }} repo={{ as_source_repo }}
+    accept_hostkey=yes
     version={{ as_version }} force=true
   environment:
     GIT_SSH: $as_git_ssh

playbooks/roles/analytics/tasks/deploy.yml

@@ -25,6 +25,7 @@
 - name: checkout code
   git:
     dest={{ analytics_code_dir }} repo={{ analytics_source_repo }}
+    accept_hostkey=yes
     version={{ analytics_version }} force=true
   environment:
     GIT_SSH: $analytics_git_ssh

playbooks/roles/aws/defaults/main.yml

@@ -43,7 +43,7 @@ aws_app_dir: "{{ COMMON_APP_DIR }}/aws"
 aws_s3_sync_script: "{{ aws_app_dir }}/send-logs-to-s3"
 aws_s3_logfile: "{{ aws_log_dir }}/s3-log-sync.log"
 aws_log_dir: "{{ COMMON_LOG_DIR }}/aws"
-
+aws_region: "us-east-1"
 # default path to the aws binary
 aws_cmd: "{{ COMMON_BIN_DIR }}/s3cmd"
 #

playbooks/roles/aws/templates/send-logs-to-s3.j2

@@ -10,12 +10,7 @@ if (( $EUID != 0 )); then
     exit 1
 fi
 
-S3_LOGFILE="{{ aws_s3_logfile }}"
-NOTIFY_EMAIL={{ AWS_S3_LOGS_NOTIFY_EMAIL }}
-FROM_EMAIL={{ AWS_S3_LOGS_FROM_EMAIL }}
-AWS_CMD={{ aws_cmd }}
-
-exec > >(tee $S3_LOGFILE) 
+exec > >(tee "{{ aws_s3_logfile }}")
 exec 2>&1
 
 shopt -s extglob
@@ -23,11 +18,11 @@ shopt -s extglob
 usage() {
 
   cat<<EO
- 
+
   A wrapper of s3cmd sync that will sync files to
-  an s3 bucket, will send mail to {{ AWS_S3_LOGS_NOTIFY_EMAIL }} 
+  an s3 bucket, will send mail to {{ AWS_S3_LOGS_NOTIFY_EMAIL }}
   on failures.
- 
+
   Usage: $PROG
             -v    add verbosity (set -x)
             -n    echo what will be done
@@ -57,7 +52,7 @@ done
 # bucket
 
 # If there are any errors from this point
-# send mail to $NOTIFY_EMAIL
+# send mail to {{ AWS_S3_LOGS_NOTIFY_EMAIL }}
 
 set -e
 
@@ -68,22 +63,22 @@ s3_path=unset
 onerror() {
   if [[ -z $noop ]]; then
     message_file=/var/tmp/message-$$.json
-    message_string="Error syncing $s3_path: inst_id=$instance_id ip=$ip region=$region"
-    if [[ -r $S3_LOGFILE ]]; then
-      python -c "import json; d={'Subject':{'Data':'$message_string'},'Body':{'Text':{'Data':open('$S3_LOGFILE').read()}}};print json.dumps(d)" > $message_file
+    message_string="Error syncing $s3_path: inst_id=$instance_id ip=$ip region={{ aws_region }}"
+    if [[ -r "{{ aws_s3_logfile }}" ]]; then
+      python -c "import json; d={'Subject':{'Data':'$message_string'},'Body':{'Text':{'Data':open('"{{ aws_s3_logfile }}"').read()}}};print json.dumps(d)" > $message_file
     else
       cat << EOF > $message_file
       {"Subject": { "Data": "$message_string" }, "Body": { "Text": { "Data": "!! ERROR !! no logfile" } } }
 EOF
     fi
     echo "ERROR: syncing $s3_path on $instance_id"
-    $AWS_CMD ses send-email --from $FROM_EMAIL --to $NOTIFY_EMAIL --message file://$message_file --region $region
+    {{ aws_cmd }} ses send-email --from {{ AWS_S3_LOGS_FROM_EMAIL }} --to {{ AWS_S3_LOGS_NOTIFY_EMAIL }} --message file://$message_file --region {{ aws_region }}
   else
     echo "Error syncing $s3_path on $instance_id"
   fi
 }
 
-trap onerror ERR SIGHUP SIGINT SIGTERM 
+trap onerror ERR SIGHUP SIGINT SIGTERM
 
 # first security group is used as the directory name in the bucket
 sec_grp=$(ec2metadata --security-groups | head -1)
@@ -95,5 +90,5 @@ region=${availability_zone:0:${{lb}}#availability_zone{{rb}} - 1}
 
 s3_path="${2}/$sec_grp/"
 {% for item in AWS_S3_LOG_PATHS -%}
-$noop $AWS_CMD sync {{ item['path'] }} "s3://{{ item['bucket'] }}/$sec_grp/${instance_id}-${ip}/"
+$noop {{ aws_cmd }} sync {{ item['path'] }} "s3://{{ item['bucket'] }}/$sec_grp/${instance_id}-${ip}/"
 {% endfor %}

playbooks/roles/bastion/tasks/main.yml

@@ -28,6 +28,9 @@
     extra_args="-i {{ COMMON_PYPI_MIRROR_URL }}"
   with_items: bastion_pip_pkgs
 
+# These templates rely on there being a global
+# read_only mysql user, you must override the default
+# in order for these templates to be written out
 - template: >
     src=mysql.sh.j2
     dest=/home/{{ item[0] }}/{{ item[1].script_name }}
@@ -44,7 +47,11 @@
       - db_host: "{{ ORA_MYSQL_HOST }}"
         db_name: "{{ ORA_MYSQL_DB_NAME }}"
         script_name: ora-rds.sh
+  when: COMMON_MYSQL_READ_ONLY_PASS
 
+# These templates rely on there being a global
+# read_only mongo user, you must override the default
+# in order for these templates to be written out
 - template: >
     src=mongo.sh.j2
     dest=/home/{{ item[0] }}/{{ item[1].script_name }}
@@ -60,3 +67,4 @@
         db_name: "{{ FORUM_MONGO_DATABASE }}"
         db_port: "{{ FORUM_MONGO_PORT }}"
         script_name: forum-mongo.sh
+  when: COMMON_MONGO_READ_ONLY_PASS

playbooks/roles/certs/defaults/main.yml

@@ -25,18 +25,39 @@ CERTS_AWS_KEY: ""
 CERTS_AWS_ID: ""
 # GPG key ID, defaults to the dummy key
 CERTS_KEY_ID: "FEF8D954"
-# Path to git identity file for pull access to
-# the edX certificates repo - REQUIRED
-# Example - {{ secure_dir }}/files/git-identity
-CERTS_GIT_IDENTITY: !!null
+# Contents of the identity for a private
+# repo. Leave set to "none" if using the public
+# certificate repo
+CERTS_GIT_IDENTITY: "none"
 # Path to public and private gpg key for signing
 # the edX certificate. Default is a dummy key
 CERTS_LOCAL_PRIVATE_KEY: "example-private-key.txt"
 
+# This defaults to the public certificates repo which is
+# used for open-edx
+CERTS_REPO: "https://github.com/edx/read-only-certificate-code"
+CERTS_NGINX_PORT: 18090
+CERTS_WEB_ROOT: "{{ certs_data_dir }}/www-data"
+CERTS_URL: "http://localhost:{{ CERTS_NGINX_PORT }}"
+CERTS_DOWNLOAD_URL: "http://localhost:{{ CERTS_NGINX_PORT }}"
+CERTS_VERIFY_URL: "http://localhost:{{ CERTS_NGINX_PORT }}"
+# Set to false if using s3 or if you don't want certificates
+# copied to the web root
+CERTS_COPY_TO_WEB_ROOT: true
+CERTS_S3_UPLOAD: false
+
+# Can be set to a different repo for private
+# templates, fonts, etc.
+CERTS_TEMPLATE_DATA_DIR: 'template_data'
+# this is the trust export, output of
+# gpg --export-ownertrust
+CERTS_OWNER_TRUST: "A9F9EAD11A0A6E7E5A037BDC044089B6FEF8D954:6:\n"
+
 ########## Internal role vars below
 
 certs_user: certs
 certs_app_dir: "{{ COMMON_APP_DIR }}/certs"
+certs_data_dir: "{{ COMMON_DATA_DIR }}/certs"
 certs_code_dir: "{{ certs_app_dir }}/certificates"
 certs_venvs_dir: "{{ certs_app_dir }}/venvs"
 certs_venv_dir: "{{ certs_venvs_dir }}/certs"
@@ -44,7 +65,6 @@ certs_venv_bin: "{{ certs_venv_dir }}/bin"
 certs_git_ssh: /tmp/git_ssh.sh
 certs_git_identity: "{{ certs_app_dir }}/certs-git-identity"
 certs_requirements_file: "{{ certs_code_dir }}/requirements.txt"
-certs_repo: "git@github.com:/edx/certificates"
 certs_version: 'master'
 certs_gpg_dir: "{{ certs_app_dir }}/gnupg"
 certs_env_config:
@@ -57,6 +77,13 @@ certs_env_config:
   CERT_KEY_ID: $CERTS_KEY_ID
   LOGGING_ENV: ""
   CERT_GPG_DIR: $certs_gpg_dir
+  CERT_URL: $CERTS_URL
+  CERT_DOWNLOAD_URL: $CERTS_DOWNLOAD_URL
+  CERT_WEB_ROOT: $CERTS_WEB_ROOT
+  COPY_TO_WEB_ROOT: $CERTS_COPY_TO_WEB_ROOT
+  S3_UPLOAD: $CERTS_S3_UPLOAD
+  CERT_VERIFY_URL: $CERTS_VERIFY_URL
+  TEMPLATE_DATA_DIR: $CERTS_TEMPLATE_DATA_DIR
 
 certs_auth_config:
   QUEUE_USER: $CERTS_QUEUE_USER

playbooks/roles/certs/files/example-key-ownertrust.txt

+A9F9EAD11A0A6E7E5A037BDC044089B6FEF8D954:6:

playbooks/roles/certs/tasks/deploy.yml

@@ -36,14 +36,19 @@
     owner={{ certs_user }} mode=750
   notify: restart certs
 
+# This key is only needed if you are pulling down a private
+# certificates repo
 - name: install read-only ssh key for the certs repo
   copy: >
     content="{{ CERTS_GIT_IDENTITY }}" dest={{ certs_git_identity }}
     force=yes owner={{ certs_user }} mode=0600
+  when: CERTS_GIT_IDENTITY != "none"
   notify: restart certs
 
 - name: checkout certificates repo into {{ certs_code_dir }}
-  git: dest={{ certs_code_dir }} repo={{ certs_repo }} version={{ certs_version }}
+  git: >
+    dest={{ certs_code_dir }} repo={{ CERTS_REPO }} version={{ certs_version }}
+    accept_hostkey=yes
   sudo_user: "{{ certs_user }}"
   environment:
     GIT_SSH: "{{ certs_git_ssh }}"
@@ -51,6 +56,7 @@
 
 - name: remove read-only ssh key for the certs repo
   file: path={{ certs_git_identity }} state=absent
+  when: CERTS_GIT_IDENTITY != "none"
   notify: restart certs
 
 - name : install python requirements

playbooks/roles/certs/tasks/main.yml

@@ -31,10 +31,6 @@
 #     - supervisor
 #     - certs
 #
-- name: Checking to see if git identity is set
-  fail: msg="You must set CERTS_GIT_IDENTITY var for this role!"
-  when: not CERTS_GIT_IDENTITY
-
 - name: create application user
   user: >
     name="{{ certs_user }}"
@@ -43,7 +39,7 @@
     shell=/bin/false
   notify: restart certs
 
-- name: create certs app and data dirs
+- name: create certs app dirs
   file: >
     path="{{ item }}"
     state=directory
@@ -52,7 +48,20 @@
   notify: restart certs
   with_items:
     - "{{ certs_app_dir }}"
+    # needed for the ansible 1.5 git module
+    - "{{ certs_app_dir }}/.ssh"
     - "{{ certs_venvs_dir }}"
+    - "{{ certs_data_dir }}"
+
+# The certs web root must be owned
+# by the web user so the certs service
+# can write files there.
+- name: create certs web root
+  file: >
+    path="{{ CERTS_WEB_ROOT }}"
+    state=directory
+    owner="{{ common_web_group }}"
+    group="{{ certs_user }}"
 
 - name: create certs gpg dir
   file: >
@@ -69,6 +78,12 @@
   notify: restart certs
   register: certs_gpg_key
 
+- name: copy the pgp trust export
+  copy: >
+    content="{{ CERTS_OWNER_TRUST }}"
+    dest={{ certs_app_dir }}/trust.export
+    owner={{ common_web_user }} mode=0600
+  notify: restart certs
 
 - name: load the gpg key
   shell: >
@@ -77,4 +92,11 @@
   when: certs_gpg_key.changed
   notify: restart certs
 
+- name: import the trust export
+  shell: >
+    /usr/bin/gpg --homedir {{ certs_gpg_dir }} --import-ownertrust {{ certs_app_dir }}/trust.export
+  sudo_user: "{{ common_web_user }}"
+  when: certs_gpg_key.changed
+  notify: restart certs
+
 - include: deploy.yml tags=deploy

playbooks/roles/common/defaults/main.yml

@@ -30,18 +30,22 @@ COMMON_CUSTOM_DHCLIENT_CONFIG: false
 
 
 COMMON_MOTD_TEMPLATE: "motd.tail.j2"
+COMMON_SSH_PASSWORD_AUTH: "no"
 
-# These are two special accounts across all databases
+# These are three maintenance accounts across all databases
 # the read only user is is granted select privs on all dbs
 # the admin user is granted create user privs on all dbs
+# the migrate user is granted table alter privs on all dbs
 
 COMMON_MYSQL_READ_ONLY_USER: 'read_only'
-COMMON_MYSQL_READ_ONLY_PASS: 'password'
+COMMON_MYSQL_READ_ONLY_PASS: !!null
 COMMON_MYSQL_ADMIN_USER: 'admin'
-COMMON_MYSQL_ADMIN_PASS: 'password'
+COMMON_MYSQL_ADMIN_PASS: !!null
+COMMON_MYSQL_MIGRATE_USER: 'migrate'
+COMMON_MYSQL_MIGRATE_PASS: !!null
 
 COMMON_MONGO_READ_ONLY_USER: 'read_only'
-COMMON_MONGO_READ_ONLY_PASS: 'password'
+COMMON_MONGO_READ_ONLY_PASS: !!null
 
 common_debian_pkgs:
   - ntp

playbooks/roles/common/templates/sshd_config.j2

@@ -51,7 +51,7 @@ PermitEmptyPasswords no
 ChallengeResponseAuthentication no
 
 # Change to no to disable tunnelled clear text passwords
-PasswordAuthentication no
+PasswordAuthentication {{ COMMON_SSH_PASSWORD_AUTH }}
 
 # Kerberos options
 #KerberosAuthentication no

playbooks/roles/datadog/defaults/main.yml

 ---
 
-datadog_api_key: "PUT_YOUR_API_KEY_HERE"
+DATADOG_API_KEY: "PUT_YOUR_API_KEY_HERE"
 
 datadog_apt_key: "http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x226AE980C7A7DA52"
 

playbooks/roles/datadog/tasks/main.yml

@@ -45,7 +45,7 @@
   lineinfile: >
     dest="/etc/dd-agent/datadog.conf"
     regexp="^api_key:.*"
-    line="api_key:{{ datadog_api_key }}"
+    line="api_key:{{ DATADOG_API_KEY }}"
   notify:
     - restart the datadog service
   tags:

playbooks/roles/demo/tasks/deploy.yml

 ---
 
 - name: check out the demo course
-  git: dest={{ demo_code_dir }}  repo={{ demo_repo }} version={{ demo_version }}
+  git: >
+    dest={{ demo_code_dir }}  repo={{ demo_repo }} version={{ demo_version }}
+    accept_hostkey=yes
   sudo_user: "{{ demo_edxapp_user }}"
   register: demo_checkout
 

playbooks/roles/discern/tasks/deploy.yml

@@ -33,20 +33,26 @@
     - restart discern
 
 - name: git checkout discern repo into discern_code_dir
-  git: dest={{ discern_code_dir }} repo={{ discern_source_repo }} version={{ discern_version }}
+  git: >
+    dest={{ discern_code_dir }} repo={{ discern_source_repo }} version={{ discern_version }}
+    accept_hostkey=yes
   sudo_user: "{{ discern_user }}"
   notify:
     - restart discern
 
 - name: git checkout ease repo into discern_ease_code_dir
-  git: dest={{ discern_ease_code_dir}} repo={{ discern_ease_source_repo }} version={{ discern_ease_version }}
+  git: >
+    dest={{ discern_ease_code_dir}} repo={{ discern_ease_source_repo }} version={{ discern_ease_version }}
+    accept_hostkey=yes
   sudo_user: "{{ discern_user }}"
   notify:
     - restart discern
 
 #Numpy has to be a pre-requirement in order for scipy to build
 - name : install python pre-requirements for discern and ease
-  pip: requirements={{item}} virtualenv={{ discern_venv_dir }} state=present
+  pip: >
+    requirements={{item}} virtualenv={{ discern_venv_dir }} state=present
+    extra_args="-i {{ COMMON_PYPI_MIRROR_URL }}"
   sudo_user: "{{ discern_user }}"
   notify:
     - restart discern
@@ -55,7 +61,9 @@
     - "{{ discern_ease_pre_requirements_file }}"
 
 - name : install python requirements for discern and ease
-  pip: requirements={{item}} virtualenv={{ discern_venv_dir }} state=present
+  pip: >
+    requirements={{item}} virtualenv={{ discern_venv_dir }} state=present
+    extra_args="-i {{ COMMON_PYPI_MIRROR_URL }}"
   sudo_user: "{{ discern_user }}"
   notify:
     - restart discern

playbooks/roles/edx_ansible/defaults/main.yml

@@ -29,6 +29,7 @@ edx_ansible_debian_pkgs:
   - libxml2-dev
   - libxslt1-dev
   - curl
+  - python-yaml
 edx_ansible_app_dir: "{{ COMMON_APP_DIR }}/edx_ansible"
 edx_ansible_code_dir: "{{ edx_ansible_app_dir }}/edx_ansible"
 edx_ansible_data_dir: "{{ COMMON_DATA_DIR }}/edx_ansible"

playbooks/roles/edx_ansible/tasks/deploy.yml

 ---
 - name: git checkout edx_ansible repo into edx_ansible_code_dir
-  git: dest={{ edx_ansible_code_dir }} repo={{ edx_ansible_source_repo }} version={{ configuration_version }}
+  git: >
+    dest={{ edx_ansible_code_dir }} repo={{ edx_ansible_source_repo }} version={{ configuration_version }}
+    accept_hostkey=yes
   sudo_user: "{{ edx_ansible_user }}"
 
 - name : install edx_ansible venv requirements
-  pip: requirements="{{ edx_ansible_requirements_file }}" virtualenv="{{ edx_ansible_venv_dir }}" state=present
+  pip: >
+    requirements="{{ edx_ansible_requirements_file }}" virtualenv="{{ edx_ansible_venv_dir }}" state=present
+    extra_args="-i {{ COMMON_PYPI_MIRROR_URL }}"
   sudo_user: "{{ edx_ansible_user }}"
 
 - name: create update script

playbooks/roles/edx_ansible/templates/update.j2

@@ -12,7 +12,7 @@ IFS=","
             -v        add verbosity to edx_ansible run
             -h        this
 
-    <repo> - must be one of edx-platform, xqueue, cs_comments_service, xserver, ease, discern, edx-ora, configuration
+    <repo> - must be one of edx-platform, xqueue, cs_comments_service, xserver, ease, edx-ora, configuration, read-only-certificate-code
     <version> - can be a commit or tag
 
 EO
@@ -39,16 +39,17 @@ if [[ -f {{ edx_ansible_var_file }} ]]; then
 fi
 
 declare -A repos_to_cmd
-edx_ansible_cmd="{{ edx_ansible_venv_bin}}/ansible-playbook -i localhost, -c local --tags deploy $extra_args "
+edx_ansible_cmd="{{ edx_ansible_venv_bin }}/ansible-playbook -i localhost, -c local --tags deploy $extra_args "
 
 repos_to_cmd["edx-platform"]="$edx_ansible_cmd edxapp.yml -e 'edx_platform_version=$2'"
 repos_to_cmd["xqueue"]="$edx_ansible_cmd xqueue.yml -e 'xqueue_version=$2'"
+repos_to_cmd["xserver"]="$edx_ansible_cmd xserver.yml -e 'xserver_version=$2'"
 repos_to_cmd["cs_comments_service"]="$edx_ansible_cmd forum.yml -e 'forum_version=$2'"
 repos_to_cmd["xserver"]="$edx_ansible_cmd forums.yml -e 'xserver_version=$2'"
 repos_to_cmd["ease"]="$edx_ansible_cmd discern.yml -e 'discern_ease_version=$2' && $edx_ansible_cmd ora.yml -e 'ora_ease_version=$2'"
-repos_to_cmd["discern"]="$edx_ansible_cmd discern.yml -e 'discern_version=$2'"
 repos_to_cmd["edx-ora"]="$edx_ansible_cmd ora.yml -e 'ora_version=$2'"
 repos_to_cmd["configuration"]="$edx_ansible_cmd edx_ansible.yml -e 'configuration_version=$2'"
+repos_to_cmd["read-only-certificate-code"]="$edx_ansible_cmd certs.yml -e 'certs_version=$2'"
 
 
 if [[ -z $1 || -z $2 ]]; then

playbooks/roles/edxapp/defaults/main.yml

@@ -67,6 +67,9 @@ EDXAPP_CAS_SERVER_URL: ''
 EDXAPP_CAS_EXTRA_LOGIN_PARAMS: ''
 EDXAPP_CAS_ATTRIBUTE_CALLBACK: ''
 EDXAPP_CAS_ATTRIBUTE_PACKAGE: ''
+# Enable an end-point that creates a user and logs them in
+# Used for performance testing
+EDXAPP_ENABLE_AUTO_AUTH: false
 
 EDXAPP_FEATURES:
   AUTH_USE_OPENID_PROVIDER: true
@@ -78,6 +81,7 @@ EDXAPP_FEATURES:
   PREVIEW_LMS_BASE: $EDXAPP_PREVIEW_LMS_BASE
   ENABLE_S3_GRADE_DOWNLOADS: true
   USE_CUSTOM_THEME: $edxapp_use_custom_theme
+  AUTOMATIC_AUTH_FOR_TESTING: $EDXAPP_ENABLE_AUTO_AUTH
 
 EDXAPP_BOOK_URL: ''
 # This needs to be set to localhost
@@ -125,6 +129,18 @@ EDXAPP_STATIC_URL_BASE: "/static/"
 EDXAPP_GRADE_STORAGE_TYPE: 'localfs'
 EDXAPP_GRADE_BUCKET: 'edx-grades'
 EDXAPP_GRADE_ROOT_PATH: '/tmp/edx-s3/grades'
+# Credit card processor
+# These are the same defaults set in common.py
+EDXAPP_CC_PROCESSOR:
+  CyberSource:
+    SHARED_SECRET: ''
+    MERCHANT_ID: ''
+    SERIAL_NUMBER: ''
+    ORDERPAGE_VERSION: '7'
+    PURCHASE_ENDPOINT: ''
+
+# does not affect verified students
+EDXAPP_PAID_COURSE_REGISTRATION_CURRENCY: ['usd', '$']
 
 # Configure rake tasks in edx-platform to skip Python/Ruby/Node installation
 EDXAPP_NO_PREREQ_INSTALL: 1
@@ -399,6 +415,7 @@ generic_env_config:  &edxapp_generic_env
 
 lms_auth_config:
   <<: *edxapp_generic_auth
+  CC_PROCESSOR: $EDXAPP_CC_PROCESSOR
   MODULESTORE:
     default:
       ENGINE: 'xmodule.modulestore.mixed.MixedModuleStore'
@@ -426,6 +443,7 @@ lms_auth_config:
 
 lms_env_config:
   <<: *edxapp_generic_env
+  PAID_COURSE_REGISTRATION_CURRENCY: $EDXAPP_PAID_COURSE_REGISTRATION_CURRENCY
   'CODE_JAIL':
     # from https://github.com/edx/codejail/blob/master/codejail/django_integration.py#L24, '' should be same as None
     'python_bin': '{% if EDXAPP_PYTHON_SANDBOX %}{{ edxapp_sandbox_venv_dir }}/bin/python{% endif %}'

playbooks/roles/edxapp/tasks/deploy.yml

@@ -28,7 +28,9 @@
 
 # Do A Checkout
 - name: checkout edx-platform repo into {{edxapp_code_dir}}
-  git: dest={{edxapp_code_dir}} repo={{edx_platform_repo}} version={{edx_platform_version}}
+  git: >
+    dest={{edxapp_code_dir}} repo={{edx_platform_repo}} version={{edx_platform_version}}
+    accept_hostkey=yes
   register: chkout
   sudo_user: "{{ edxapp_user }}"
   environment:
@@ -45,7 +47,9 @@
   - "restart edxapp_workers"
 
 - name: checkout theme
-  git: dest={{ edxapp_app_dir }}/themes/{{edxapp_theme_name}} repo={{edxapp_theme_source_repo}} version={{edxapp_theme_version}}
+  git: >
+    dest={{ edxapp_app_dir }}/themes/{{edxapp_theme_name}} repo={{edxapp_theme_source_repo}} version={{edxapp_theme_version}}
+    accept_hostkey=yes
   when: edxapp_theme_name != ''
   sudo_user: "{{ edxapp_user }}"
   environment:

playbooks/roles/edxapp/tasks/main.yml

@@ -19,6 +19,8 @@
   - "restart edxapp_workers"
   with_items:
     - "{{ edxapp_app_dir }}"
+    # needed for the ansible 1.5 git module
+    - "{{ edxapp_app_dir }}/.ssh"
     - "{{ edxapp_data_dir }}"
     - "{{ edxapp_venvs_dir }}"
     - "{{ edxapp_theme_dir }}"

playbooks/roles/edxapp/tasks/service_variant_config.yml

@@ -77,7 +77,10 @@
 
 # Fake syncdb with migrate, only when fake_migrations is defined
 # This overrides the database name to be the test database which
-# the default application user has full write access to
+# the default application user has full write access to.
+#
+# This is run in cases where you want to test to see if migrations
+# work without actually runnning them (when creating AMIs for example).
 - name: syncdb and migrate
   shell: >
     chdir={{ edxapp_code_dir }}
@@ -90,12 +93,27 @@
   - "restart edxapp"
   - "restart edxapp_workers"
 
-# Regular syncdb with migrate
+# Syncdb with migrate when the migrate user is overridden in extra vars
+- name: syncdb and migrate
+  shell: >
+    chdir={{ edxapp_code_dir }}
+    {{ edxapp_venv_bin}}/python manage.py lms syncdb --migrate --noinput --settings=aws_migrate
+  when: fake_migrations is not defined and migrate_db is defined and migrate_db|lower == "yes" and COMMON_MYSQL_MIGRATE_PASS
+  environment:
+    DB_MIGRATION_USER: "{{ COMMON_MYSQL_MIGRATE_USER }}"
+    DB_MIGRATION_PASS: "{{ COMMON_MYSQL_MIGRATE_PASS }}"
+  sudo_user: "{{ edxapp_user }}"
+  notify:
+  - "restart edxapp"
+  - "restart edxapp_workers"
+
+# Syncdb with migrate when the default migrate user is not set,
+# in this case use the EDXAPP_MYSQL_USER_MIGRATE user to run migrations
 - name: syncdb and migrate
   shell: >
     chdir={{ edxapp_code_dir }}
     {{ edxapp_venv_bin}}/python manage.py lms syncdb --migrate --noinput --settings=aws_migrate
-  when: fake_migrations is not defined and migrate_db is defined and migrate_db|lower == "yes"
+  when: fake_migrations is not defined and migrate_db is defined and migrate_db|lower == "yes" and not COMMON_MYSQL_MIGRATE_PASS
   environment:
     DB_MIGRATION_USER: "{{ EDXAPP_MYSQL_USER_MIGRATE }}"
     DB_MIGRATION_PASS: "{{ EDXAPP_MYSQL_PASSWORD_MIGRATE }}"
@@ -104,6 +122,7 @@
   - "restart edxapp"
   - "restart edxapp_workers"
 
+
 # Fake migrate, only when fake_migrations is defined
 # This overrides the database name to be the test database which
 # the default application user has full write access to

playbooks/roles/forum/defaults/main.yml

@@ -48,8 +48,8 @@ forum_environment:
   NEW_RELIC_LICENSE_KEY: "{{ FORUM_NEW_RELIC_LICENSE_KEY }}"
   WORKER_PROCESSES: "{{ FORUM_WORKER_PROCESSES }}"
   DATA_DIR: "{{ forum_data_dir }}"
-  FORUM_LISTEN_HOST: "{{ FORUM_LISTEN_HOST }}"
-  FORUM_LISTEN_PORT: "{{ FORUM_LISTEN_PORT }}"
+  LISTEN_HOST: "{{ FORUM_LISTEN_HOST }}"
+  LISTEN_PORT: "{{ FORUM_LISTEN_PORT }}"
 
 forum_user: "forum"
 forum_ruby_version: "1.9.3-p448"

playbooks/roles/forum/tasks/deploy.yml

@@ -30,7 +30,9 @@
   notify: restart the forum service
 
 - name:  git checkout forum repo into {{ forum_code_dir }}
-  git: dest={{ forum_code_dir }} repo={{ forum_source_repo }} version={{ forum_version }}
+  git: >
+    dest={{ forum_code_dir }} repo={{ forum_source_repo }} version={{ forum_version }}
+    accept_hostkey=yes
   sudo_user: "{{ forum_user }}"
   notify: restart the forum service
 

playbooks/roles/jenkins_admin/defaults/main.yml

@@ -75,6 +75,8 @@ jenkins_admin_debian_pkgs:
   # for status.edx.org
   - ruby
   - ruby1.9.1
+  # for check-migrations
+  - mysql-client
 
 jenkins_admin_gem_pkgs:
   # for generating status.edx.org

playbooks/roles/jenkins_admin/tasks/main.yml

@@ -66,17 +66,17 @@
 
 - name: configure s3 plugin
   template: >
-    src="./{{jenkins_home}}/hudson.plugins.s3.S3BucketPublisher.xml.j2"
-    dest="{{jenkins_home}}/hudson.plugins.s3.S3BucketPublisher.xml"
-    owner={{jenkins_user}}
-    group={{jenkins_group}}
+    src="./{{ jenkins_home }}/hudson.plugins.s3.S3BucketPublisher.xml.j2"
+    dest="{{ jenkins_home }}/hudson.plugins.s3.S3BucketPublisher.xml"
+    owner={{ jenkins_user }}
+    group={{ jenkins_group }}
     mode=0644
 
 - name: create the ssh directory
   file: >
-    path={{jenkins_home}}/.ssh
-    owner={{jenkins_user}}
-    group={{jenkins_group}}
+    path={{ jenkins_home }}/.ssh
+    owner={{ jenkins_user }}
+    group={{ jenkins_group }}
     mode=0700
     state=directory
 
@@ -89,34 +89,34 @@
 - name: drop the secure credentials
   copy: >
     content="{{ JENKINS_ADMIN_GIT_KEY }}"
-    dest={{jenkins_home}}/.ssh/id_rsa
-    owner={{jenkins_user}}
-    group={{jenkins_group}}
+    dest={{ jenkins_home }}/.ssh/id_rsa
+    owner={{ jenkins_user }}
+    group={{ jenkins_group }}
     mode=0600
 
 - name: create job directory
   file: >
-    path="{{jenkins_home}}/jobs"
-    owner="{{jenkins_user}}"
-    group="{{jenkins_group}}"
+    path="{{ jenkins_home }}/jobs"
+    owner="{{ jenkins_user }}"
+    group="{{ jenkins_group }}"
     mode=0755
     state=directory
 
 - name: create admin job directories
   file: >
-    path="{{jenkins_home}}/jobs/{{item}}"
-    owner={{jenkins_user}}
-    group={{jenkins_group}}
+    path="{{ jenkins_home }}/jobs/{{ item }}"
+    owner={{ jenkins_user }}
+    group={{ jenkins_group }}
     mode=0755
     state=directory
   with_items: jenkins_admin_jobs
 
 - name: create admin job config files
   template: >
-    src="./{{jenkins_home}}/jobs/{{item}}/config.xml.j2"
-    dest="{{jenkins_home}}/jobs/{{item}}/config.xml"
-    owner={{jenkins_user}}
-    group={{jenkins_group}}
+    src="./{{ jenkins_home }}/jobs/{{ item }}/config.xml.j2"
+    dest="{{ jenkins_home }}/jobs/{{ item }}/config.xml"
+    owner={{ jenkins_user }}
+    group={{ jenkins_group }}
     mode=0644
   with_items: jenkins_admin_jobs
 

playbooks/roles/jenkins_admin/templates/edx/var/jenkins/hudson.plugins.s3.S3BucketPublisher.xml.j2

@@ -2,9 +2,9 @@
 <hudson.plugins.s3.S3BucketPublisher_-DescriptorImpl plugin="s3@0.5">
   <profiles>
     <hudson.plugins.s3.S3Profile>
-      <name>{{JENKINS_ADMIN_S3_PROFILE.name}}</name>
-      <accessKey>{{JENKINS_ADMIN_S3_PROFILE.access_key}}</accessKey>
-      <secretKey>{{JENKINS_ADMIN_S3_PROFILE.secret_key}}</secretKey>
+      <name>{{ JENKINS_ADMIN_S3_PROFILE.name }}</name>
+      <accessKey>{{ JENKINS_ADMIN_S3_PROFILE.access_key }}</accessKey>
+      <secretKey>{{ JENKINS_ADMIN_S3_PROFILE.secret_key }}</secretKey>
     </hudson.plugins.s3.S3Profile>
   </profiles>
 </hudson.plugins.s3.S3BucketPublisher_-DescriptorImpl>

playbooks/roles/jenkins_admin/templates/edx/var/jenkins/jobs/backup-jenkins/config.xml.j2

@@ -44,7 +44,7 @@ rm -rf $BUILD_ID
   </builders>
   <publishers>
     <hudson.plugins.s3.S3BucketPublisher plugin="s3@0.5">
-      <profileName>{{JENKINS_ADMIN_S3_PROFILE.name}}</profileName>
+      <profileName>{{ JENKINS_ADMIN_S3_PROFILE.name }}</profileName>
       <entries>
         <hudson.plugins.s3.Entry>
           <bucket>edx-jenkins-backups/{{JENKINS_ADMIN_NAME}}</bucket>

playbooks/roles/jenkins_admin/templates/edx/var/jenkins/jobs/build-ami/config.xml.j2

@@ -33,12 +33,12 @@
         </hudson.model.TextParameterDefinition>
         <hudson.model.StringParameterDefinition>
           <name>configuration</name>
-          <description>The GITREF of configuration to use.</description>
+          <description>The GITREF of configuration to use. Leave blank to default to master.</description>
           <defaultValue></defaultValue>
         </hudson.model.StringParameterDefinition>
         <hudson.model.StringParameterDefinition>
           <name>configuration_secure</name>
-          <description>The GITREF of configuration-secure repository to use.</description>
+          <description>The GITREF of configuration-secure repository to use. Leave blank to default to master.</description>
           <defaultValue></defaultValue>
         </hudson.model.StringParameterDefinition>
         <hudson.model.StringParameterDefinition>
@@ -46,6 +46,11 @@
           <description></description>
           <defaultValue></defaultValue>
         </hudson.model.StringParameterDefinition>
+        <hudson.model.BooleanParameterDefinition>
+          <name>use_blessed</name>
+          <description></description>
+          <defaultValue>true</defaultValue>
+        </hudson.model.BooleanParameterDefinition>
       </parameterDefinitions>
     </hudson.model.ParametersDefinitionProperty>
     <com.sonyericsson.rebuild.RebuildSettings plugin="rebuild@1.20">
@@ -60,7 +65,7 @@
           <hudson.plugins.git.UserRemoteConfig>
             <name></name>
             <refspec></refspec>
-            <url>{{JENKINS_ADMIN_CONFIGURATION_REPO}}</url>
+            <url>{{ JENKINS_ADMIN_CONFIGURATION_REPO }}</url>
           </hudson.plugins.git.UserRemoteConfig>
         </userRemoteConfigs>
         <branches>
@@ -99,7 +104,7 @@
           <hudson.plugins.git.UserRemoteConfig>
             <name></name>
             <refspec></refspec>
-            <url>{{JENKINS_ADMIN_CONFIGURATION_SECURE_REPO}}</url>
+            <url>{{ JENKINS_ADMIN_CONFIGURATION_SECURE_REPO }}</url>
           </hudson.plugins.git.UserRemoteConfig>
         </userRemoteConfigs>
         <branches>
@@ -151,40 +156,23 @@
       <nature>shell</nature>
       <command>
 #!/bin/bash -x
+export jenkins_admin_ec2_key="{{ JENKINS_ADMIN_EC2_KEY }}"
+export jenkins_admin_configuration_secure_repo="{{ JENKINS_ADMIN_CONFIGURATION_SECURE_REPO }}"
 
-if [[ "\$play" == "" ]]; then
-    echo "No Play Specified. Nothing to Do."
-    exit 0
-fi
-
-export PYTHONUNBUFFERED=1
-export PIP_DOWNLOAD_CACHE=\$WORKSPACE/pip-cache
-
-cd configuration
-pip install -r requirements.txt
-
-cd util/vpc-tools/
-
-echo "\$refs" > /var/tmp/$BUILD_ID-refs.yml
-cat /var/tmp/$BUILD_ID-refs.yml
-
-echo "\$vars" > /var/tmp/$BUILD_ID-extra-vars.yml
-cat /var/tmp/$BUILD_ID-extra-vars.yml
-
-python -u abbey.py -p \$play -t c1.medium  -d \$deployment -e \$environment -i /edx/var/jenkins/.ssh/id_rsa -b \$base_ami --vars /var/tmp/\$BUILD_ID-extra-vars.yml --refs /var/tmp/\$BUILD_ID-refs.yml -c \$BUILD_NUMBER --configuration-version \$configuration --configuration-secure-version \$configuration_secure -k deployment --configuration-secure-repo "git@github.com:edx-ops/prod-secure.git"
+configuration/util/jenkins/build-ami.sh
       </command>
       <ignoreExitCode>false</ignoreExitCode>
     </jenkins.plugins.shiningpanda.builders.VirtualenvBuilder>
     <hudson.tasks.Shell>
       <command>#!/bin/bash -x
 
-if [[(&quot;\$play&quot; == &quot;&quot;)]]; then
+if [[(&quot;$play&quot; == &quot;&quot;)]]; then
     echo &quot;No Play Specified. Nothing to Do.&quot;
     exit 0
 fi
 
-rm /var/tmp/\$BUILD_ID-extra-vars.yml
-rm /var/tmp/\$BUILD_ID-refs.yml</command>
+rm /var/tmp/$BUILD_ID-extra-vars.yml
+rm /var/tmp/$BUILD_ID-refs.yml</command>
     </hudson.tasks.Shell>
   </builders>
   <publishers/>

playbooks/roles/jenkins_master/tasks/main.yml

@@ -84,7 +84,9 @@
 # upstream, we may be able to use the regular plugin install process.
 # Until then, we compile and install the forks ourselves.
 - name: checkout custom plugin repo
-  git: repo={{ item.repo_url }} dest=/tmp/{{ item.repo_name }} version={{ item.version }}
+  git: >
+    repo={{ item.repo_url }} dest=/tmp/{{ item.repo_name }} version={{ item.version }}
+    accept_hostkey=yes
   with_items: jenkins_custom_plugins
 
 - name: compile custom plugins

playbooks/roles/jenkins_worker/defaults/main.yml

@@ -36,8 +36,8 @@ jenkins_wheels:
     - { pkg: "django-celery==3.0.17", wheel: "django_celery-3.0.17-py27-none-any.whl" }
     - { pkg: "beautifulsoup4==4.1.3", wheel: "beautifulsoup4-4.1.3-py27-none-any.whl"}
     - { pkg: "beautifulsoup==3.2.1", wheel: "BeautifulSoup-3.2.1-py27-none-any.whl" }
-    - { pkg: "bleach==1.2.2", wheel: "bleach-1.2.2-py27-none-any.whl" }
-    - { pkg: "html5lib==0.95", wheel: "html5lib-0.95-py27-none-any.whl" }
+    - { pkg: "bleach==1.4", wheel: "bleach-1.4-py27-none-any.whl" }
+    - { pkg: "html5lib==0.999", wheel: "html5lib-0.999-py27-none-any.whl" }
     - { pkg: "boto==2.13.3", wheel: "boto-2.13.3-py27-none-any.whl" }
     - { pkg: "celery==3.0.19", wheel: "celery-3.0.19-py27-none-any.whl" }
     - { pkg: "dealer==0.2.3", wheel: "dealer-0.2.3-py27-none-any.whl" }
@@ -64,8 +64,9 @@ jenkins_wheels:
     - { pkg: "gunicorn==0.17.4", wheel: "gunicorn-0.17.4-py27-none-any.whl" }
     - { pkg: "lazy==1.1", wheel: "lazy-1.1-py27-none-any.whl" }
     - { pkg: "lxml==3.0.1", wheel: "lxml-3.0.1-cp27-none-linux_x86_64.whl" }
-    - { pkg: "mako==0.7.3", wheel: "Mako-0.7.3-py27-none-any.whl" }
+    - { pkg: "mako==0.9.1", wheel: "Mako-0.9.1-py2.py3-none-any.whl" }
     - { pkg: "Markdown==2.2.1", wheel: "Markdown-2.2.1-py27-none-any.whl" }
+    - { pkg: "mongoengine==0.7.10", wheel: "mongoengine-0.7.10-py27-none-any.whl" }
     - { pkg: "networkx==1.7", wheel: "networkx-1.7-py27-none-any.whl" }
     - { pkg: "nltk==2.0.4", wheel: "nltk-2.0.4-py27-none-any.whl" }
     - { pkg: "oauthlib==0.5.1", wheel: "oauthlib-0.5.1-py27-none-any.whl" }
@@ -79,7 +80,9 @@ jenkins_wheels:
     - { pkg: "pymongo==2.4.1", wheel: "pymongo-2.4.1-cp27-none-linux_x86_64.whl" }
     - { pkg: "pyparsing==1.5.6", wheel: "pyparsing-1.5.6-py27-none-any.whl" }
     - { pkg: "python-memcached==1.48", wheel: "python_memcached-1.48-py27-none-any.whl" }
-    - { pkg: "python-openid==2.2.5", wheel: "django_openid_auth-0.4-py27-none-any.whl" }
+    - { pkg: "python-openid==2.2.5", wheel: "python_openid-2.2.5-py27-none-any.whl" }
+    - { pkg: "python-dateutil==2.1", wheel: "python_dateutil-2.1-py27-none-any.whl" }
+    - { pkg: "python-social-auth==0.1.21", wheel: "python_social_auth-0.1.21-py27-none-any.whl" }
     - { pkg: "pytz==2012h", wheel: "pytz-2012h-py27-none-any.whl" }
     - { pkg: "pysrt==0.4.7", wheel: "pysrt-0.4.7-py27-none-any.whl" }
     - { pkg: "PyYAML==3.10", wheel: "PyYAML-3.10-cp27-none-linux_x86_64.whl" }
@@ -92,26 +95,35 @@ jenkins_wheels:
     - { pkg: "sympy==0.7.1", wheel: "sympy-0.7.1-py27-none-any.whl" }
     - { pkg: "xmltodict==0.4.1", wheel: "xmltodict-0.4.1-py27-none-any.whl" }
     - { pkg: "django-ratelimit-backend==0.6", wheel: "django_ratelimit_backend-0.6-py27-none-any.whl" }
+    - { pkg: "unicodecsv==0.9.4", wheel: "unicodecsv-0.9.4-py27-none-any.whl" }
     - { pkg: "ipython==0.13.1", wheel: "ipython-0.13.1-py27-none-any.whl" }
     - { pkg: "watchdog==0.6.0", wheel: "watchdog-0.6.0-py27-none-any.whl" }
     - { pkg: "dogapi==1.2.1", wheel: "dogapi-1.2.1-py27-none-any.whl" }
     - { pkg: "newrelic==2.4.0.4", wheel: "newrelic-2.4.0.4-cp27-none-linux_x86_64.whl" }
     - { pkg: "sphinx==1.1.3", wheel: "Sphinx-1.1.3-py27-none-any.whl" }
+    - { pkg: "sphinx_rtd_theme==0.1.5", wheel: "sphinx_rtd_theme-0.1.5-py27-none-any.whl" }
     - { pkg: "Babel==1.3", wheel: "Babel-1.3-py27-none-any.whl" }
-    - { pkg: "transifex-client==0.9.1", wheel: "transifex_client-0.9.1-py27-none-any.whl" }
+    - { pkg: "transifex-client==0.10", wheel: "transifex_client-0.10-py27-none-any.whl" }
+    - { pkg: "django_debug_toolbar", wheel: "django_debug_toolbar-0.11.0-py2.py3-none-any.whl" }
+    - { pkg: "django-debug-toolbar-mongo", wheel: "django_debug_toolbar_mongo-0.1.10-py27-none-any.whl" }
+    - { pkg: "chrono==1.0.2", wheel: "chrono-1.0.2-py2.py3-none-any.whl" }
     - { pkg: "coverage==3.6", wheel: "coverage-3.6-cp27-none-linux_x86_64.whl" }
-    - { pkg: "factory_boy==2.0.2", wheel: "factory_boy-2.0.2-py27-none-any.whl" }
+    - { pkg: "ddt==0.7.1", wheel: "ddt-0.7.1-py27-none-any.whl" }
+    - { pkg: "django-crum==0.5", wheel: "django_crum-0.5-py27-none-any.whl" }
+    - { pkg: "django_nose==1.1", wheel: "django_nose-1.1-py27-none-any.whl" }
+    - { pkg: "factory_boy==2.1.2", wheel: "factory_boy-2.1.2-py27-none-any.whl" }
+    - { pkg: "freezegun==0.1.11", wheel: "freezegun-0.1.11-py27-none-any.whl" }
     - { pkg: "mock==1.0.1", wheel: "mock-1.0.1-py27-none-any.whl" }
     - { pkg: "nosexcover==1.0.7", wheel: "nosexcover-1.0.7-py27-none-any.whl" }
     - { pkg: "pep8==1.4.5", wheel: "pep8-1.4.5-py27-none-any.whl" }
     - { pkg: "pylint==0.28", wheel: "pylint-0.28.0-py27-none-any.whl" }
+    - { pkg: "python-subunit==0.0.16", wheel: "python_subunit-0.0.16-py27-none-any.whl" }
     - { pkg: "rednose==0.3", wheel: "rednose-0.3-py27-none-any.whl" }
-    - { pkg: "selenium==2.34.0", wheel: "selenium-2.34.0-py27-none-any.whl" }
+    - { pkg: "selenium==2.39.0", wheel: "selenium-2.39.0-py27-none-any.whl" }
     - { pkg: "splinter==0.5.4", wheel: "splinter-0.5.4-py27-none-any.whl" }
-    - { pkg: "django_nose==1.1", wheel: "django_nose-1.1-py27-none-any.whl" }
-    - { pkg: "django_debug_toolbar", wheel: "django_debug_toolbar-0.10.2-py2.py3-none-any.whl" }
-    - { pkg: "django-debug-toolbar-mongo", wheel: "django_debug_toolbar_mongo-0.1.10-py27-none-any.whl" }
-    - { pkg: "nose-ignore-docstring", wheel: "nose_ignore_docstring-0.2-py27-none-any.whl" }
-    - { pkg: "nose-exclude", wheel: "nose_exclude-0.1.10-py27-none-any.whl" }
-    - { pkg: "django-crum==0.5", wheel: "django_crum-0.5-py27-none-any.whl" }
+    - { pkg: "testtools==0.9.34", wheel: "testtools-0.9.34-py27-none-any.whl" }
+    - { pkg: "Paver==1.2.1", wheel: "Paver-1.2.1-py27-none-any.whl" }
+    - { pkg: "psutil==1.2.1", wheel: "psutil-1.2.1-cp27-none-linux_x86_64.whl" }
+    - { pkg: "lazy==1.1", wheel: "lazy-1.1-py27-none-any.whl" }
+    - { pkg: "path.py==3.0.1", wheel: "path.py-3.0.1-py27-none-any.whl" }
     - { pkg: "MySQL-python==1.2.4", wheel: "MySQL_python-1.2.4-cp27-none-linux_x86_64.whl" }

playbooks/roles/nginx/defaults/main.yml

@@ -52,3 +52,5 @@ nginx_cfg:
   # nginx configuration
   version_html: "{{ nginx_app_dir }}/versions.html"
   version_json: "{{ nginx_app_dir }}/versions.json"
+
+NGINX_ROBOT_RULES: [ ]

playbooks/roles/nginx/tasks/main.yml

@@ -31,16 +31,24 @@
 
 - name: Server configuration file
   template: >
-    src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
+    src=etc/nginx/nginx.conf.j2 dest=/etc/nginx/nginx.conf
     owner=root group={{ common_web_user }} mode=0644
   notify: reload nginx
 
 - name: Creating common nginx configuration
   template: >
-    src=edx-release.j2 dest={{ nginx_sites_available_dir }}/edx-release
+    src=edx/app/nginx/sites-available/edx-release.j2
+    dest={{ nginx_sites_available_dir }}/edx-release
     owner=root group=root mode=0600
   notify: reload nginx
 
+- name: Create robot rules
+  template: >
+    src=edx/app/nginx/robots.txt.j2 dest={{ nginx_app_dir }}/robots.txt
+    owner=root group={{ common_web_user }} mode=0644
+  notify: reload nginx
+  when: NGINX_ROBOT_RULES|length > 0
+
 - name: Creating link for common nginx configuration
   file: >
     src={{ nginx_sites_available_dir }}/edx-release
@@ -50,7 +58,8 @@
 
 - name: Copying nginx configs for {{ nginx_sites }}
   template: >
-    src={{ item }}.j2 dest={{ nginx_sites_available_dir }}/{{ item }}
+    src=edx/app/nginx/sites-available/{{ item }}.j2
+    dest={{ nginx_sites_available_dir }}/{{ item }}
     owner=root group={{ common_web_user }} mode=0640
   notify: reload nginx
   with_items: nginx_sites
@@ -113,24 +122,14 @@
 
 - name: Set up nginx access log rotation
   template: >
-    dest=/etc/logrotate.d/nginx-access src=edx_logrotate_nginx_access.j2
-    owner=root group=root mode=644
-
-# removing default link
-- name: Removing default nginx config and restart (enabled)
-  file: path={{ nginx_sites_enabled_dir }}/default state=absent
-  notify: reload nginx
-
-# Note that nginx logs to /var/log until it reads its configuration, so /etc/logrotate.d/nginx is still good
-
-- name: Set up nginx access log rotation
-  template: >
-    dest=/etc/logrotate.d/nginx-access src=edx_logrotate_nginx_access.j2
+    src=etc/logrotate.d/edx_logrotate_nginx_access.j2
+    dest=/etc/logrotate.d/nginx-access
     owner=root group=root mode=644
 
 - name: Set up nginx access log rotation
   template: >
-    dest=/etc/logrotate.d/nginx-error src=edx_logrotate_nginx_error.j2
+    src=etc/logrotate.d/edx_logrotate_nginx_error.j2
+    dest=/etc/logrotate.d/nginx-error
     owner=root group=root mode=644
 
 # If tasks that notify restart nginx don't change the state of the remote system

playbooks/roles/nginx/templates/edx/app/nginx/robots.txt.j2

+{% for item in NGINX_ROBOT_RULES %}
+User-agent: {{ item.agent }}
+Disallow: {{ item.disallow }}
+
+{% endfor %}

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/certs.j2

+server {
+  listen {{ CERTS_NGINX_PORT }} default_server;
+
+  location / {
+    root {{ CERTS_WEB_ROOT }};
+    {% include "basic-auth.j2" %}
+    try_files $uri $uri/valid.html =404;
+  }
+}
+

playbooks/roles/nginx/templates/cms.j2 → playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2

@@ -66,8 +66,10 @@ server {
     try_files $uri @proxy_to_cms_app;
   }
 
+  {% include "robots.j2" %}
+
   # Check security on this
-  location ~ /static/(?P<file>.*) {
+  location ~ ^/static/(?P<file>.*) {
     root {{ edxapp_data_dir }};
     try_files /staticfiles/$file /course_static/$file =404;
 

playbooks/roles/nginx/templates/devpi.j2 → playbooks/roles/nginx/templates/edx/app/nginx/sites-available/devpi.j2

@@ -12,5 +12,7 @@ server {
         proxy_set_header  X-outside-url $scheme://$host;
         proxy_set_header  X-Real-IP $remote_addr;
     }
+
+    {% include robots.j2 %}
 }
 

playbooks/roles/nginx/templates/forum.j2 → playbooks/roles/nginx/templates/edx/app/nginx/sites-available/forum.j2

@@ -40,6 +40,8 @@ server {
     try_files $uri @proxy_to_app;
   }
 
+  {% include "robots.j2" %}
+
 location @proxy_to_app {
     proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
     proxy_set_header X-Forwarded-Port $http_x_forwarded_port;

playbooks/roles/nginx/templates/lms-preview.j2 → playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms-preview.j2

@@ -46,8 +46,10 @@ server {
     try_files $uri @proxy_to_lms-preview_app;
   }
 
+  {% include "robots.j2" %}
+
   # Check security on this
-  location ~ /static/(?P<file>.*) {
+  location ~ ^/static/(?P<file>.*) {
     root {{ edxapp_data_dir}};
     try_files /staticfiles/$file /course_static/$file =404;
 

playbooks/roles/nginx/templates/lms.j2 → playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2

@@ -62,8 +62,10 @@ server {
     try_files $uri @proxy_to_lms_app;
   }
 
+  {% include "robots.j2" %}
+
   # Check security on this
-  location ~ /static/(?P<file>.*) {
+  location ~ ^/static/(?P<file>.*) {
     root {{ edxapp_data_dir }};
     try_files /staticfiles/$file /course_static/$file =404;
 

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/nginx_redirect.j2

+{% for item in nginx_redirects -%}
+
+{%- if "default" in item -%}
+  {%- set default_site = "default" -%}
+{%- else -%}
+  {%- set default_site = "" -%}
+{%- endif -%}
+
+server {
+  listen 80 {{ default_site }};
+  listen 443 {{ default_site }} ssl;
+
+  ssl_certificate /etc/ssl/certs/{{ NGINX_SSL_CERTIFICATE|basename }};
+  ssl_certificate_key /etc/ssl/private/{{ NGINX_SSL_KEY|basename }};
+
+  server_name {{ item['server_name'] }};
+  return 301 {{ item['redirect'] }}$request_uri;
+}
+{% endfor %}
+

playbooks/roles/nginx/templates/ora.j2 → playbooks/roles/nginx/templates/edx/app/nginx/sites-available/ora.j2

@@ -31,6 +31,8 @@ server {
     expires epoch;
   }
 
+  {% include "robots.j2" %}
+
   location @proxy_to_app {
     client_max_body_size 75K;
     proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/robots.j2

+{% if NGINX_ROBOT_RULES|length > 0 %}
+  location /robots.txt {
+    root {{ nginx_app_dir }};
+    try_files $uri /robots.txt =404;
+  }
+{% endif %}

playbooks/roles/nginx/templates/xqueue.j2 → playbooks/roles/nginx/templates/edx/app/nginx/sites-available/xqueue.j2

@@ -17,6 +17,8 @@ server {
     try_files $uri @proxy_to_app;
   }
 
+  {% include "robots.j2" %}
+
 location @proxy_to_app {
     proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
     proxy_set_header X-Forwarded-Port $http_x_forwarded_port;

playbooks/roles/notifier/defaults/main.yml

@@ -41,8 +41,8 @@ NOTIFIER_COMMENT_SERVICE_API_KEY: "PUT_YOUR_API_KEY_HERE"
 
 NOTIFIER_USER_SERVICE_BASE: "http://localhost:8000"
 NOTIFIER_USER_SERVICE_API_KEY: "PUT_YOUR_API_KEY_HERE"
-NOTIFIER_USER_SERVICE_HTTP_AUTH_USER: !!null
-NOTIFIER_USER_SERVICE_HTTP_AUTH_PASS: !!null
+NOTIFIER_USER_SERVICE_HTTP_AUTH_USER: ""
+NOTIFIER_USER_SERVICE_HTTP_AUTH_PASS: ""
 NOTIFIER_CELERY_BROKER_URL: "django://"
 NOTIFIER_LOGO_IMAGE_URL: "{{ NOTIFIER_LMS_URL_BASE }}/static/images/header-logo.png"
 NOTIFIER_SUPERVISOR_LOG_DEST: "{{ COMMON_DATA_DIR }}/log/supervisor"
@@ -68,33 +68,33 @@ notifier_debian_pkgs:
 # the env variable for the supervisor job definition.
 #
 notifier_env_vars:
-  FORUM_DIGEST_EMAIL_SENDER: $NOTIFIER_DIGEST_EMAIL_SENDER
-  FORUM_DIGEST_EMAIL_SUBJECT: $NOTIFIER_DIGEST_EMAIL_SUBJECT
-  FORUM_DIGEST_EMAIL_TITLE: $NOTIFIER_DIGEST_EMAIL_TITLE
-  FORUM_DIGEST_EMAIL_DESCRIPTION: $NOTIFIER_DIGEST_EMAIL_DESCRIPTION
-  EMAIL_SENDER_POSTAL_ADDRESS: $NOTIFIER_EMAIL_SENDER_POSTAL_ADDRESS
-  NOTIFIER_LANGUAGE: $NOTIFIER_LANGUAGE
-  NOTIFIER_ENV: $NOTIFIER_ENV
-  NOTIFIER_DB_DIR: $NOTIFIER_DB_DIR
-  EMAIL_BACKEND: $NOTIFIER_EMAIL_BACKEND
-  EMAIL_HOST: $NOTIFIER_EMAIL_HOST
-  EMAIL_PORT: $NOTIFIER_EMAIL_PORT
-  EMAIL_HOST_USER: $NOTIFIER_EMAIL_USER
-  EMAIL_HOST_PASSWORD: $NOTIFIER_EMAIL_PASS
-  EMAIL_USE_TLS: $NOTIFIER_EMAIL_USE_TLS
-  EMAIL_REWRITE_RECIPIENT: $NOTIFIER_EMAIL_REWRITE_RECIPIENT
-  LMS_URL_BASE: $NOTIFIER_LMS_URL_BASE
-  SECRET_KEY: $NOTIFIER_LMS_SECRET_KEY
-  CS_URL_BASE: $NOTIFIER_COMMENT_SERVICE_BASE
-  CS_API_KEY: $NOTIFIER_COMMENT_SERVICE_API_KEY
-  US_URL_BASE: $NOTIFIER_USER_SERVICE_BASE
-  US_API_KEY: $NOTIFIER_USER_SERVICE_API_KEY
-  DATADOG_API_KEY: $NOTIFIER_DD_API_KEY
-  LOG_LEVEL: $NOTIFIER_LOG_LEVEL
-  RSYSLOG_ENABLED: $NOTIFIER_RSYSLOG_ENABLED
-  BROKER_URL: $NOTIFIER_CELERY_BROKER_URL
-  REQUESTS_CA_BUNDLE: $NOTIFER_REQUESTS_CA_BUNDLE
-  US_HTTP_AUTH_USER: $NOTIFIER_USER_SERVICE_HTTP_AUTH_USER
-  US_HTTP_AUTH_PASS: $NOTIFIER_USER_SERVICE_HTTP_AUTH_PASS
-  FORUM_DIGEST_TASK_INTERVAL: $NOTIFIER_DIGEST_TASK_INTERVAL
-  LOGO_IMAGE_URL: $NOTIFIER_LOGO_IMAGE_URL
+  FORUM_DIGEST_EMAIL_SENDER: "{{ NOTIFIER_DIGEST_EMAIL_SENDER }}"
+  FORUM_DIGEST_EMAIL_SUBJECT: "{{ NOTIFIER_DIGEST_EMAIL_SUBJECT }}"
+  FORUM_DIGEST_EMAIL_TITLE: "{{ NOTIFIER_DIGEST_EMAIL_TITLE }}"
+  FORUM_DIGEST_EMAIL_DESCRIPTION: "{{ NOTIFIER_DIGEST_EMAIL_DESCRIPTION }}"
+  EMAIL_SENDER_POSTAL_ADDRESS: "{{ NOTIFIER_EMAIL_SENDER_POSTAL_ADDRESS }}"
+  NOTIFIER_LANGUAGE: "{{ NOTIFIER_LANGUAGE }}"
+  NOTIFIER_ENV: "{{ NOTIFIER_ENV }}"
+  NOTIFIER_DB_DIR: "{{ NOTIFIER_DB_DIR }}"
+  EMAIL_BACKEND: "{{ NOTIFIER_EMAIL_BACKEND }}"
+  EMAIL_HOST: "{{ NOTIFIER_EMAIL_HOST }}"
+  EMAIL_PORT: "{{ NOTIFIER_EMAIL_PORT }}"
+  EMAIL_HOST_USER: "{{ NOTIFIER_EMAIL_USER }}"
+  EMAIL_HOST_PASSWORD: "{{ NOTIFIER_EMAIL_PASS }}"
+  EMAIL_USE_TLS: "{{ NOTIFIER_EMAIL_USE_TLS }}"
+  EMAIL_REWRITE_RECIPIENT: "{{ NOTIFIER_EMAIL_REWRITE_RECIPIENT }}"
+  LMS_URL_BASE: "{{ NOTIFIER_LMS_URL_BASE }}"
+  SECRET_KEY: "{{ NOTIFIER_LMS_SECRET_KEY }}"
+  CS_URL_BASE: "{{ NOTIFIER_COMMENT_SERVICE_BASE }}"
+  CS_API_KEY: "{{ NOTIFIER_COMMENT_SERVICE_API_KEY }}"
+  US_URL_BASE: "{{ NOTIFIER_USER_SERVICE_BASE }}"
+  US_API_KEY: "{{ NOTIFIER_USER_SERVICE_API_KEY }}"
+  DATADOG_API_KEY: "{{ DATADOG_API_KEY }}"
+  LOG_LEVEL: "{{ NOTIFIER_LOG_LEVEL }}"
+  RSYSLOG_ENABLED: "{{ NOTIFIER_RSYSLOG_ENABLED }}"
+  BROKER_URL: "{{ NOTIFIER_CELERY_BROKER_URL }}"
+  REQUESTS_CA_BUNDLE: "{{ NOTIFER_REQUESTS_CA_BUNDLE }}"
+  US_HTTP_AUTH_USER: "{{ NOTIFIER_USER_SERVICE_HTTP_AUTH_USER }}"
+  US_HTTP_AUTH_PASS: "{{ NOTIFIER_USER_SERVICE_HTTP_AUTH_PASS }}"
+  FORUM_DIGEST_TASK_INTERVAL: "{{ NOTIFIER_DIGEST_TASK_INTERVAL }}"
+  LOGO_IMAGE_URL: "{{ NOTIFIER_LOGO_IMAGE_URL }}"

playbooks/roles/notifier/tasks/deploy.yml

@@ -4,6 +4,7 @@
   git:
     dest={{ NOTIFIER_CODE_DIR }} repo={{ NOTIFIER_SOURCE_REPO }}
     version={{ NOTIFIER_VERSION }}
+    accept_hostkey=yes
   sudo: true
   sudo_user: "{{ NOTIFIER_USER }}"
   notify:

playbooks/roles/notifier/templates/edx/app/supervisor/conf.d/notifier-celery-workers.conf.j2

@@ -27,5 +27,5 @@ stderr_logfile_backups=10
 stderr_capture_maxbytes=1MB
 environment=PID='/var/tmp/notifier-celery-workers.pid',LANG=en_US.UTF-8,
 {%- for name,value in notifier_env_vars.items() -%}
-{{name}}="{{value}}"{%- if not loop.last -%},{%- endif -%}
+{%- if value -%}{{name}}="{{value}}"{%- if not loop.last -%},{%- endif -%}{%- endif -%}
 {%- endfor -%}

playbooks/roles/notifier/templates/edx/app/supervisor/conf.d/notifier-scheduler.conf.j2

@@ -27,5 +27,5 @@ stderr_logfile_backups=10
 stderr_capture_maxbytes=1MB
 environment=PID='/var/tmp/notifier-scheduler.pid',LANG=en_US.UTF-8,
 {%- for name,value in notifier_env_vars.items() -%}
-{{name}}="{{value}}"{%- if not loop.last -%},{%- endif -%}
+{%- if value -%}{{name}}="{{value}}"{%- if not loop.last -%},{%- endif -%}{%- endif -%}
 {%- endfor -%}

playbooks/roles/ora/tasks/deploy.yml

@@ -40,7 +40,9 @@
 
 # Do A Checkout
 - name: git checkout ora repo into {{ ora_app_dir }}
-  git: dest={{ ora_code_dir }} repo={{ ora_source_repo }} version={{ ora_version }}
+  git: >
+    dest={{ ora_code_dir }} repo={{ ora_source_repo }} version={{ ora_version }}
+    accept_hostkey=yes
   sudo_user: "{{ ora_user }}"
   notify:
     - restart ora
@@ -52,7 +54,9 @@
 
 # Install the python pre requirements into {{ ora_venv_dir }}
 - name: install python pre-requirements
-  pip: requirements="{{ ora_pre_requirements_file }}" virtualenv="{{ ora_venv_dir }}" state=present
+  pip: >
+    requirements="{{ ora_pre_requirements_file }}" virtualenv="{{ ora_venv_dir }}" state=present
+    extra_args="-i {{ COMMON_PYPI_MIRROR_URL }}"
   sudo_user: "{{ ora_user }}"
   notify:
     - restart ora
@@ -60,7 +64,9 @@
 
 # Install the python post requirements into {{ ora_venv_dir }}
 - name: install python post-requirements
-  pip: requirements="{{ ora_post_requirements_file }}" virtualenv="{{ ora_venv_dir }}" state=present
+  pip: >
+    requirements="{{ ora_post_requirements_file }}" virtualenv="{{ ora_venv_dir }}" state=present
+    extra_args="-i {{ COMMON_PYPI_MIRROR_URL }}"
   sudo_user: "{{ ora_user }}"
   notify:
     - restart ora

playbooks/roles/ora/tasks/ease.yml

 # Do A Checkout
 - name: git checkout ease repo into its base dir
-  git: dest={{ora_ease_code_dir}} repo={{ora_ease_source_repo}} version={{ora_ease_version}}
+  git: >
+    dest={{ora_ease_code_dir}} repo={{ora_ease_source_repo}} version={{ora_ease_version}}
+    accept_hostkey=yes
   sudo_user: "{{ ora_user }}"
   notify:
     - restart ora
@@ -16,7 +18,9 @@
 
 # Install the python pre requirements into {{ ora_ease_venv_dir }}
 - name: install ease python pre-requirements
-  pip: requirements="{{ora_ease_pre_requirements_file}}" virtualenv="{{ora_ease_venv_dir}}" state=present
+  pip: >
+    requirements="{{ora_ease_pre_requirements_file}}" virtualenv="{{ora_ease_venv_dir}}" state=present
+    extra_args="-i {{ COMMON_PYPI_MIRROR_URL }}"
   sudo_user: "{{ ora_user }}"
   notify:
     - restart ora
@@ -24,7 +28,9 @@
 
 # Install the python post requirements into {{ ora_ease_venv_dir }}
 - name: install ease python post-requirements
-  pip: requirements="{{ora_ease_post_requirements_file}}" virtualenv="{{ora_ease_venv_dir}}" state=present
+  pip: >
+    requirements="{{ora_ease_post_requirements_file}}" virtualenv="{{ora_ease_venv_dir}}" state=present
+    extra_args="-i {{ COMMON_PYPI_MIRROR_URL }}"
   sudo_user: "{{ ora_user }}"
   notify:
     - restart ora

playbooks/roles/rabbitmq/defaults/main.yml

@@ -28,9 +28,15 @@ rabbitmq_refresh: false
 
 rabbitmq_apt_key: "http://www.rabbitmq.com/rabbitmq-signing-key-public.asc"
 rabbitmq_repository: "deb http://www.rabbitmq.com/debian/ testing main"
+# We mirror the deb package for rabbitmq-server because
+# nodes need to be running the same version
+rabbitmq_pkg_url: "http://files.edx.org/rabbitmq_packages/rabbitmq-server_3.2.3-1_all.deb"
 rabbitmq_pkg: "rabbitmq-server"
 rabbitmq_debian_pkgs:
   - python-software-properties
+  # for installing the deb package with
+  # dependencies
+  - gdebi
 
 rabbitmq_config_dir: "/etc/rabbitmq"
 rabbitmq_cookie_dir: "/var/lib/rabbitmq"

playbooks/roles/rabbitmq/tasks/main.yml

@@ -10,10 +10,23 @@
   apt: pkg={{",".join(rabbitmq_debian_pkgs)}} state=present
 
 - name: add rabbit repository
-  apt_repository: repo="{{rabbitmq_repository}}" state=present
+  apt_repository: repo="{{rabbitmq_repository}}" state=present update_cache=yes
 
-- name: install rabbitmq
-  apt: pkg={{rabbitmq_pkg}} state=present update_cache=yes
+- name: fetch the rabbitmq server deb
+  get_url: >
+    url={{ rabbitmq_pkg_url }}
+    dest=/var/tmp/{{ rabbitmq_pkg_url|basename }}
+
+- name: check if rabbit is installed
+  shell: >
+    dpkg -s rabbitmq-server >/dev/null 2>&1 || echo "not installed"
+  register: is_installed
+
+- name: install rabbit package using gdebi
+  shell: >
+    gdebi --n {{ rabbitmq_pkg_url|basename }}
+    chdir=/var/tmp
+  when: is_installed.stdout == "not installed"
 
 - name: stop rabbit cluster
   service: name=rabbitmq-server state=stopped
@@ -76,6 +89,9 @@
 - name: add vhosts
   rabbitmq_vhost: name={{ item }} state=present
   with_items: RABBITMQ_VHOSTS
+  tags:
+    - vhosts
+    - maintenance
 
 - name: add admin users
   rabbitmq_user: >
@@ -87,10 +103,16 @@
     - ${rabbitmq_auth_config.admins}
     - RABBITMQ_VHOSTS
   when: "'admins' in rabbitmq_auth_config"
+  tags:
+    - users
+    - maintenance
 
 - name: make queues mirrored
   shell: "/usr/sbin/rabbitmqctl set_policy HA '^(?!amq\\.).*' '{\"ha-mode\": \"all\"}'"
   when: RABBITMQ_CLUSTERED or rabbitmq_clustered_hosts|length > 1
+  tags:
+    - ha
+    - maintenance
 
 #
 # Depends upon the management plugin

playbooks/roles/rbenv/tasks/main.yml

@@ -53,6 +53,7 @@
   git: >
     repo=https://github.com/sstephenson/rbenv.git
     dest={{ rbenv_dir }}/.rbenv version={{ rbenv_version }}
+    accept_hostkey=yes
   sudo_user: "{{ rbenv_user }}"
 
 - name: ensure ruby_env exists
@@ -79,7 +80,9 @@
   when: rbuild_present|failed or (installable_ruby_vers is defined and rbenv_ruby_version not in installable_ruby_vers)
 
 - name: clone ruby-build repo
-  git: repo=https://github.com/sstephenson/ruby-build.git dest={{ tempdir.stdout }}/ruby-build
+  git: >
+    repo=https://github.com/sstephenson/ruby-build.git dest={{ tempdir.stdout }}/ruby-build
+    accept_hostkey=yes
   when: rbuild_present|failed or (installable_ruby_vers is defined and rbenv_ruby_version not in installable_ruby_vers)
   sudo_user: "{{ rbenv_user }}"
 

playbooks/roles/supervisor/tasks/main.yml

@@ -87,11 +87,15 @@
 
 
 - name: install supervisor in its venv
-  pip: name=supervisor virtualenv="{{supervisor_venv_dir}}" state=present
+  pip: >
+    name=supervisor virtualenv="{{supervisor_venv_dir}}" state=present
+    extra_args="-i {{ COMMON_PYPI_MIRROR_URL }}"
   sudo_user: "{{ supervisor_user }}"
 
 - name: install supervisor in its venv
-  pip: name=boto virtualenv="{{supervisor_venv_dir}}" state=present
+  pip: >
+    name=boto virtualenv="{{supervisor_venv_dir}}" state=present
+    extra_args="-i {{ COMMON_PYPI_MIRROR_URL }}"
   sudo_user: "{{ supervisor_user }}"
   when: supervisor_service == "supervisor" and disable_edx_services and not devstack
 

playbooks/roles/user/defaults/main.yml

@@ -18,7 +18,7 @@
 user_role_name: user
 
 # override this var to add a prefix to the prompt
-# also need to set commont_update_bashrc for to
+# also need to set comment_update_bashrc for to
 # update the system bashrc default
 USER_CMD_PROMPT: ""
 

playbooks/roles/user/tasks/main.yml

@@ -66,7 +66,7 @@
 #
 # By default for restricted users we only allow sudo, if you
 # want to provide more binaries add them to user_rbash_links
-# which can be passed in as a paramter to the role.
+# which can be passed in as a parameter to the role.
 #
 
 - debug: var=user_info
@@ -74,6 +74,13 @@
 - name: create the edxadmin group
   group: name=edxadmin state=present
 
+# some AMIs (such as EMR master nodes) don't read the config files out of /etc/sudoers.d by default
+- name: ensure sudoers.d is read
+  lineinfile: >
+    dest=/etc/sudoers state=present
+    regexp='^#includedir /etc/sudoers.d' line='#includedir /etc/sudoers.d'
+    validate='visudo -cf %s'
+
 # give full sudo admin access to the edxadmin group
 - name: grant full sudo access to the edxadmin group
   copy: >
@@ -82,45 +89,47 @@
     mode=0440 validate='visudo -cf %s'
 
 - name: create the users
-  user:
+  user: >
     name={{ item.name }}
     shell=/bin/bash
+    state={{ item.state | default('present') }}
   with_items: user_info
 
 - name: create .ssh directory
-  file:
+  file: >
     path=/home/{{ item.name }}/.ssh state=directory mode=0750
     owner={{ item.name }}
+  when: item.get('state', 'present') == 'present'
   with_items: user_info
 
 - name: assign admin role to admin users
-  user:
+  user: >
     name={{ item.name }}
     groups=edxadmin
-  when: item.type is defined and item.type == 'admin'
+  when: item.type is defined and item.type == 'admin' and item.get('state', 'present') == 'present'
   with_items: user_info
 
 # authorized_keys2 used here so that personal
 # keys can be copied to authorized_keys
 # force is set to yes here, otherwise the keys
-# won't update if they haven't changed on teh github
+# won't update if they haven't changed on the github
 # side
 - name: copy github key[s] to .ssh/authorized_keys2
-  get_url:
+  get_url: >
     url=https://github.com/{{ item.name }}.keys
     force=yes
     dest=/home/{{ item.name }}/.ssh/authorized_keys2 mode=0640
     owner={{ item.name }}
-  when: item.github is defined
+  when: item.github is defined and item.get('state', 'present') == 'present'
   with_items: user_info
 
 - name: copy additional authorized keys
   copy: >
-    content="{{ "\n".join(item.authorized_keys) }}"
+    content="{{ '\n'.join(item.authorized_keys) }}"
     dest=/home/{{ item.name }}/.ssh/authorized_keys mode=0640
     owner={{ item.name }}
     mode=0440
-  when: item.authorized_keys is defined
+  when: item.authorized_keys is defined and item.get('state', 'present') == 'present'
   with_items: user_info
 
 - name: create bashrc file for normal users
@@ -128,7 +137,7 @@
     src=default.bashrc.j2
     dest=/home/{{ item.name }}/.bashrc mode=0640
     owner={{ item.name }}
-  when: not (item.type is defined and item.type == 'restricted')
+  when: not (item.type is defined and item.type == 'restricted') and item.get('state', 'present') == 'present'
   with_items: user_info
 
 - name: create .profile for all users
@@ -136,16 +145,17 @@
     src=default.profile.j2
     dest=/home/{{ item.name }}/.profile mode=0640
     owner={{ item.name }}
+  when: item.get('state', 'present') == 'present'
   with_items: user_info
 
 ########################################################
 # All tasks below this line are for restricted users
 
 - name: modify shell for restricted users
-  user:
+  user: >
     name={{ item.name }}
     shell=/bin/rbash
-  when: item.type is defined and item.type == 'restricted'
+  when: item.type is defined and item.type == 'restricted' and item.get('state', 'present') == 'present'
   with_items: user_info
 
 - name: create bashrc file for restricted users
@@ -153,11 +163,11 @@
     src=restricted.bashrc.j2
     dest=/home/{{ item.name }}/.bashrc mode=0640
     owner={{ item.name }}
-  when: item.type is defined and item.type == 'restricted'
+  when: item.type is defined and item.type == 'restricted' and item.get('state', 'present') == 'present'
   with_items: user_info
 
 - name: create sudoers file from template
-  template:
+  template: >
     dest=/etc/sudoers.d/99-restricted
     src=restricted.sudoers.conf.j2 owner="root"
     group="root" mode=0440 validate='visudo -cf %s'
@@ -167,14 +177,14 @@
 
 - name: change home directory ownership to root for restricted users
   shell: "chown -R root:{{ item.name }} /home/{{ item.name }}"
-  when: item.type is defined and item.type == 'restricted'
+  when: item.type is defined and item.type == 'restricted' and item.get('state', 'present') == 'present'
   with_items: user_info
 
 - name: create ~/bin directory
-  file:
+  file: >
     path=/home/{{ item.name }}/bin state=directory mode=0750
     owner="root" group={{ item.name }}
-  when: item.type is defined and item.type == 'restricted'
+  when: item.type is defined and item.type == 'restricted' and item.get('state', 'present') == 'present'
   with_items: user_info
 
 - name: create allowed command links
@@ -182,7 +192,7 @@
     src: "{{ item[1] }}"
     dest: "/home/{{ item[0].name }}/bin/{{ item[1]|basename }}"
     state: link
-  when: item[0].type is defined and item[0].type == 'restricted'
+  when: item[0].type is defined and item[0].type == 'restricted' and item[0].get('state', 'present') == 'present'
   with_nested:
     - user_info
     - user_rbash_links

playbooks/roles/user/templates/default.bashrc.j2

@@ -53,10 +53,12 @@ if [ -n "$force_color_prompt" ]; then
     fi
 fi
 
+command -v ec2metadata >/dev/null 2>&1 && {  INSTANCEID=$(ec2metadata --instance-id); }
+
 if [ "$color_prompt" = yes ]; then
-    PS1='{{ USER_CMD_PROMPT }}${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
+    PS1='{{ USER_CMD_PROMPT }}${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h $INSTANCEID\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
 else
-    PS1='{{ USER_CMD_PROMPT}}${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
+    PS1='{{ USER_CMD_PROMPT}}${debian_chroot:+($debian_chroot)}\u@\h $INSTANCEID:\w\$ '
 fi
 unset color_prompt force_color_prompt
 

playbooks/roles/xqueue/defaults/main.yml

@@ -2,21 +2,6 @@
 # when the role is included
 ---
 XQUEUE_NGINX_PORT: 18040
-
-xqueue_app_dir: "{{ COMMON_APP_DIR }}/xqueue"
-xqueue_code_dir: "{{ xqueue_app_dir }}/xqueue"
-xqueue_data_dir: "{{ COMMON_DATA_DIR }}/xqueue"
-xqueue_venvs_dir: "{{ xqueue_app_dir }}/venvs"
-xqueue_venv_dir: "{{ xqueue_venvs_dir }}/xqueue"
-xqueue_venv_bin: "{{ xqueue_venv_dir }}/bin"
-xqueue_user: "xqueue"
-
-# Default nginx listen port
-# These should be overrided if you want
-# to serve all content on port 80
-xqueue_gunicorn_port: 8040
-xqueue_gunicorn_host: 127.0.0.1
-
 XQUEUE_QUEUES:
   # push queue
   'edX-Open_DemoX': 'http://localhost:18050'
@@ -46,6 +31,23 @@ XQUEUE_MYSQL_PASSWORD: 'password'
 XQUEUE_MYSQL_HOST: 'localhost'
 XQUEUE_MYSQL_PORT: '3306'
 
+# Internal vars below this line
+#############################################
+
+xqueue_app_dir: "{{ COMMON_APP_DIR }}/xqueue"
+xqueue_code_dir: "{{ xqueue_app_dir }}/xqueue"
+xqueue_data_dir: "{{ COMMON_DATA_DIR }}/xqueue"
+xqueue_venvs_dir: "{{ xqueue_app_dir }}/venvs"
+xqueue_venv_dir: "{{ xqueue_venvs_dir }}/xqueue"
+xqueue_venv_bin: "{{ xqueue_venv_dir }}/bin"
+xqueue_user: "xqueue"
+
+# Default nginx listen port
+# These should be overrided if you want
+# to serve all content on port 80
+xqueue_gunicorn_port: 8040
+xqueue_gunicorn_host: 127.0.0.1
+
 xqueue_env_config:
   XQUEUES: $XQUEUE_QUEUES
   XQUEUE_WORKERS_PER_QUEUE: 12

playbooks/roles/xqueue/tasks/deploy.yml

@@ -28,7 +28,9 @@
 
 # Do A Checkout
 - name: git checkout xqueue repo into xqueue_code_dir
-  git: dest={{ xqueue_code_dir }} repo={{ xqueue_source_repo }} version={{ xqueue_version }}
+  git: >
+    dest={{ xqueue_code_dir }} repo={{ xqueue_source_repo }} version={{ xqueue_version }}
+    accept_hostkey=yes
   sudo_user: "{{ xqueue_user }}"
   notify:
     - restart xqueue
@@ -36,26 +38,44 @@
 
 # Install the python pre requirements into {{ xqueue_venv_dir }}
 - name : install python pre-requirements
-  pip: requirements="{{ xqueue_pre_requirements_file }}" virtualenv="{{ xqueue_venv_dir }}" state=present
+  pip: >
+    requirements="{{ xqueue_pre_requirements_file }}" virtualenv="{{ xqueue_venv_dir }}" state=present
+    extra_args="-i {{ COMMON_PYPI_MIRROR_URL }}"
   sudo_user: "{{ xqueue_user }}"
   notify:
     - restart xqueue
 
 # Install the python post requirements into {{ xqueue_venv_dir }}
 - name : install python post-requirements
-  pip: requirements="{{ xqueue_post_requirements_file }}" virtualenv="{{ xqueue_venv_dir }}" state=present
+  pip: >
+    requirements="{{ xqueue_post_requirements_file }}" virtualenv="{{ xqueue_venv_dir }}" state=present
+    extra_args="-i {{ COMMON_PYPI_MIRROR_URL }}"
   sudo_user: "{{ xqueue_user }}"
   notify:
     - restart xqueue
 
+# If there is a common user for migrations run migrations using his username
+# and credentials. If not we use the xqueue mysql user
+- name: syncdb and migrate
+  shell: >
+    SERVICE_VARIANT=xqueue {{ xqueue_venv_bin }}/django-admin.py syncdb --migrate --noinput --settings=xqueue.aws_migrate --pythonpath={{ xqueue_code_dir }}
+  sudo_user: "{{ xqueue_user }}"
+  environment:
+    DB_MIGRATION_USER: "{{ COMMON_MYSQL_MIGRATE_USER }}"
+    DB_MIGRATION_PASS: "{{ COMMON_MYSQL_MIGRATE_PASS }}"
+  when: migrate_db is defined and migrate_db|lower == "yes" and COMMON_MYSQL_MIGRATE_PASS
+  notify:
+    - restart xqueue
+
 - name: syncdb and migrate
   shell: >
     SERVICE_VARIANT=xqueue {{ xqueue_venv_bin }}/django-admin.py syncdb --migrate --noinput --settings=xqueue.aws_settings --pythonpath={{ xqueue_code_dir }}
-  when: migrate_db is defined and migrate_db|lower == "yes"
   sudo_user: "{{ xqueue_user }}"
+  when: migrate_db is defined and migrate_db|lower == "yes" and not COMMON_MYSQL_MIGRATE_PASS
   notify:
     - restart xqueue
 
+
 - name: create users
   shell: >
     SERVICE_VARIANT=xqueue {{ xqueue_venv_bin }}/django-admin.py update_users --settings=xqueue.aws_settings --pythonpath={{ xqueue_code_dir }}

playbooks/roles/xserver/tasks/deploy.yml

@@ -12,17 +12,23 @@
   when: not disable_edx_services
 
 - name: checkout code
-  git: dest={{xserver_code_dir}} repo={{xserver_source_repo}} version={{xserver_version}}
+  git: >
+    dest={{xserver_code_dir}} repo={{xserver_source_repo}} version={{xserver_version}}
+    accept_hostkey=yes
   sudo_user: "{{ xserver_user }}"
   notify: restart xserver
 
 - name: install requirements
-  pip: requirements="{{xserver_requirements_file}}" virtualenv="{{ xserver_venv_dir }}" state=present
+  pip: >
+    requirements="{{xserver_requirements_file}}" virtualenv="{{ xserver_venv_dir }}" state=present
+    extra_args="-i {{ COMMON_PYPI_MIRROR_URL }}"
   sudo_user: "{{ xserver_user }}"
   notify: restart xserver
 
 - name: install sandbox requirements
-  pip: requirements="{{xserver_requirements_file}}" virtualenv="{{xserver_venv_sandbox_dir}}" state=present
+  pip: >
+    requirements="{{xserver_requirements_file}}" virtualenv="{{xserver_venv_sandbox_dir}}" state=present
+    extra_args="-i {{ COMMON_PYPI_MIRROR_URL }}"
   sudo_user: "{{ xserver_user }}"
   notify: restart xserver
 
@@ -44,7 +50,9 @@
   notify: restart xserver
 
 - name: checkout grader code
-  git: dest={{ XSERVER_GRADER_DIR }} repo={{ XSERVER_GRADER_SOURCE }} version={{ xserver_grader_version }}
+  git: >
+    dest={{ XSERVER_GRADER_DIR }} repo={{ XSERVER_GRADER_SOURCE }} version={{ xserver_grader_version }}
+    accept_hostkey=yes
   environment:
     GIT_SSH: /tmp/git_ssh.sh
   notify: restart xserver

playbooks/roles/xserver/tasks/main.yml

@@ -32,6 +32,8 @@
     group="{{ common_web_group }}"
   with_items:
     - "{{ xserver_app_dir }}"
+    # needed for the ansible 1.5 git module
+    - "{{ xserver_app_dir }}/.ssh"
     - "{{ xserver_venvs_dir }}"
     - "{{ xserver_data_dir }}"
     - "{{ xserver_data_dir }}/data"

playbooks/roles/xserver/templates/git_ssh.sh.j2

 #!/bin/sh
-exec /usr/bin/ssh -o StrictHostKeyChecking=no -i {{ xserver_git_identity }} "$@"
+exec /usr/bin/ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i {{ xserver_git_identity }} "$@"

playbooks/vagrant-devstack.yml

@@ -3,14 +3,15 @@
   sudo: True
   gather_facts: True
   vars:
-    migrate_db: "yes"
-    openid_workaround: True
-    devstack: True
-    disable_edx_services: True
+    migrate_db: 'yes'
+    openid_workaround: true
+    devstack: true
+    disable_edx_services: true
     edx_platform_version: 'master'
-    mongo_enable_journal: False
+    mongo_enable_journal: false
     EDXAPP_NO_PREREQ_INSTALL: 0
-    COMMON_MOTD_TEMPLATE: "devstack_motd.tail.j2"
+    COMMON_MOTD_TEMPLATE: 'devstack_motd.tail.j2'
+    COMMON_SSH_PASSWORD_AUTH: "yes"
   vars_files:
     - "group_vars/all"
   roles:

playbooks/vagrant-fullstack.yml

@@ -3,10 +3,13 @@
   sudo: True
   gather_facts: True
   vars:
-    migrate_db: "yes"
-    openid_workaround: True
-    EDXAPP_LMS_NGINX_PORT: '80'
+    migrate_db: 'yes'
+    openid_workaround: true
     edx_platform_version: 'master'
+    EDXAPP_LMS_NGINX_PORT: '80'
+    EDX_ANSIBLE_DUMP_VARS: true
+    CERTS_DOWNLOAD_URL: 'http://192.168.33.10:18090'
+    CERTS_VERIFY_URL: 'http://192.168.33.10:18090'
   vars_files:
     - "group_vars/all"
   roles:
@@ -19,6 +22,7 @@
       - ora
       - forum
       - xqueue
+      - certs
       nginx_default_sites:
       - lms
       - cms
@@ -33,4 +37,5 @@
     - forum
     - { role: "xqueue", update_users: True }
     - ora
+    - certs
     - edx_ansible

requirements.txt

-ansible==1.4.4
-PyYAML==3.10
+ansible==1.5.4
+PyYAML==3.11
 Jinja2==2.7.2
-MarkupSafe==0.18
+MarkupSafe==0.21
 argparse==1.2.1
 boto==2.20.1
-ecdsa==0.10
-paramiko==1.12.0
+ecdsa==0.11
+paramiko==1.13.0
 pycrypto==2.6.1
 wsgiref==0.1.2
 docopt==0.6.1

util/install/vagrant.sh

+#!/bin/sh
 ##
 ## Installs the pre-requisites for running edX on a single Ubuntu 12.04
 ## instance.  This script is provided as a convenience and any of these
-## steps could be executed manually.  
-## 
-## Note that this script requires that you have the ability to run 
+## steps could be executed manually.
+##
+## Note that this script requires that you have the ability to run
 ## commands as root via sudo.  Caveat Emptor!
 ##
 
@@ -27,7 +28,7 @@ sudo pip install --upgrade virtualenv
 ## Clone the configuration repository and run Ansible
 ##
 cd /var/tmp
-git clone https://github.com/edx/configuration
+git clone -b release https://github.com/edx/configuration
 
 ##
 ## Install the ansible requirements
@@ -38,5 +39,4 @@ sudo pip install -r requirements.txt
 ##
 ## Run the edx_sandbox.yml playbook in the configuration/playbooks directory
 ##
-cd /var/tmp/configuration/playbooks
-sudo ansible-playbook -c local ./edx_sandbox.yml -i "localhost,"
+cd /var/tmp/configuration/playbooks && sudo ansible-playbook -c local ./edx_sandbox.yml -i "localhost,"

util/jenkins/ansible-provision.sh

@@ -3,7 +3,7 @@
 # Ansible provisioning wrapper script that
 # assumes the following parameters set
 # as environment variables
-# 
+#
 # - github_username
 # - server_type
 # - instance_type
@@ -41,7 +41,7 @@ if [[ ! -f $BOTO_CONFIG ]]; then
   exit 1
 fi
 
-extra_vars="/var/tmp/extra-vars-$$.yml"
+extra_vars_file="/var/tmp/extra-vars-$$.yml"
 
 if [[ -z $region ]]; then
   region="us-east-1"
@@ -65,14 +65,14 @@ fi
 
 if [[ -z $ami ]]; then
   if [[ $server_type == "full_edx_installation" ]]; then
-    ami="ami-f551419c"
+    ami="ami-97dbc3fe"
   elif [[ $server_type == "ubuntu_12.04" || $server_type == "full_edx_installation_from_scratch" ]]; then
     ami="ami-59a4a230"
   fi
 fi
 
 if [[ -z $instance_type ]]; then
-  instance_type="m1.medium"
+  instance_type="m3.medium"
 fi
 
 deploy_host="${dns_name}.${dns_zone}"
@@ -80,13 +80,15 @@ ssh-keygen -f "/var/lib/jenkins/.ssh/known_hosts" -R "$deploy_host"
 
 cd playbooks/edx-east
 
-cat << EOF > $extra_vars
+cat << EOF > $extra_vars_file
 ---
 ansible_ssh_private_key_file: /var/lib/jenkins/${keypair}.pem
 EDXAPP_PREVIEW_LMS_BASE: preview.${deploy_host}
 EDXAPP_LMS_BASE: ${deploy_host}
 EDXAPP_CMS_BASE: studio.${deploy_host}
 EDXAPP_SITE_NAME: ${deploy_host}
+CERTS_DOWNLOAD_URL: "http://${deploy_host}:18090"
+CERTS_VERIFY_URL: "http://${deploy_host}:18090"
 edx_platform_version: $edxapp_version
 forum_version: $forum_version
 xqueue_version: $xqueue_version
@@ -96,11 +98,14 @@ ease_version: $ease_version
 certs_version: $certs_version
 discern_version: $discern_version
 EDXAPP_STATIC_URL_BASE: $static_url_base
+
+# User provided extra vars
+$extra_vars
 EOF
 
 if [[ $basic_auth == "true" ]]; then
     # vars specific to provisioning added to $extra-vars
-    cat << EOF_AUTH >> $extra_vars
+    cat << EOF_AUTH >> $extra_vars_file
 NGINX_HTPASSWD_USER: $auth_user
 NGINX_HTPASSWD_PASS: $auth_pass
 EOF_AUTH
@@ -109,15 +114,15 @@ fi
 
 if [[ $recreate == "true" ]]; then
     # vars specific to provisioning added to $extra-vars
-    cat << EOF >> $extra_vars
+    cat << EOF >> $extra_vars_file
 dns_name: $dns_name
 keypair: $keypair
 instance_type: $instance_type
 security_group: $security_group
 ami: $ami
-region: $region 
+region: $region
 zone: $zone
-instance_tags: 
+instance_tags:
     environment: $environment
     github_username: $github_username
     Name: $name_tag
@@ -137,14 +142,14 @@ elb: $elb
 EOF
 
     # run the tasks to launch an ec2 instance from AMI
-    cat $extra_vars
-    ansible-playbook edx_provision.yml  -i inventory.ini -e@${extra_vars} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu  -v
+    cat $extra_vars_file
+    ansible-playbook edx_provision.yml  -i inventory.ini -e@${extra_vars_file} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu  -v
 
     if [[ $server_type == "full_edx_installation" ]]; then
         # additional tasks that need to be run if the
         # entire edx stack is brought up from an AMI
-        ansible-playbook rabbitmq.yml -i "${deploy_host}," -e@${extra_vars} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu
-        ansible-playbook restart_supervisor.yml -i "${deploy_host}," -e@${extra_vars} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu
+        ansible-playbook rabbitmq.yml -i "${deploy_host}," -e@${extra_vars_file} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu
+        ansible-playbook restart_supervisor.yml -i "${deploy_host}," -e@${extra_vars_file} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu
     fi
 fi
 
@@ -157,21 +162,21 @@ done
 # If reconfigure was selected or if starting from an ubuntu 12.04 AMI
 # run non-deploy tasks for all roles
 if [[ $reconfigure == "true" || $server_type == "full_edx_installation_from_scratch" ]]; then
-    cat $extra_vars
-    ansible-playbook edx_continuous_integration.yml -i "${deploy_host}," -e@${extra_vars} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu --skip-tags deploy
+    cat $extra_vars_file
+    ansible-playbook edx_continuous_integration.yml -i "${deploy_host}," -e@${extra_vars_file} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu 
 fi
 
-if [[ $server_type == "full_edx_installation" || $server_type == "full_edx_installation_from_scratch" ]]; then
+if [[ $server_type == "full_edx_installation" ]]; then
     # Run deploy tasks for the roles selected
     for i in $roles; do
         if [[ ${deploy[$i]} == "true" ]]; then
-            cat $extra_vars
-            ansible-playbook ${i}.yml -i "${deploy_host}," -e@${extra_vars} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu --tags deploy
+            cat $extra_vars_file
+            ansible-playbook ${i}.yml -i "${deploy_host}," -e@${extra_vars_file} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu --tags deploy -v
         fi
     done
 fi
 
 # deploy the edx_ansible role
-ansible-playbook edx_ansible.yml -i "${deploy_host}," -e@${extra_vars} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu
+ansible-playbook edx_ansible.yml -i "${deploy_host}," -e@${extra_vars_file} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu
 
-rm -f "$extra_vars"
+rm -f "$extra_vars_file"

util/jenkins/build-ami.sh

+#!/bin/bash -x
+# This script is meant to be run from jenkins and expects the
+# following variables to be set:
+#   - BUILD_ID - set by jenkins, Unique ID of build
+#   - BUILD_NUMBER - set by jenkins, Build number
+#   - refs - repo revisions to pass to abbey. This is provided in YAML syntax,
+#            and we put the contents in a file that abbey reads. Refs are
+#            different from 'vars' in that each ref is set as a tag on the
+#            output AMI.
+#   - vars - other vars to pass to abbey. This is provided in YAML syntax,
+#            and we put the contents in a file that abby reads.
+#   - deployment - edx, edge, etc
+#   - environment - stage,prod, etc
+#   - play - forum, edxapp, xqueue, etc
+#   - base_ami - Optional AMI to use as base AMI for abby instance
+#   - configuration - the version of the configuration repo to use
+#   - configuration_secure - the version of the secure repo to use
+#   - jenkins_admin_ec2_key - location of the ec2 key to pass to abbey
+#   - jenkins_admin_configuration_secure_repo - the git repo to use for secure vars
+#   - use_blessed - whether or not to use blessed AMIs
+
+if [[ -z "$BUILD_ID" ]]; then
+  echo "BUILD_ID not specified."
+  exit -1
+fi
+
+if [[ -z "$BUILD_NUMBER" ]]; then
+  echo "BUILD_NUMBER not specified."
+  exit -1
+fi
+
+if [[ -z "$refs" ]]; then
+  echo "refs not specified."
+  exit -1
+fi
+
+if [[ -z "$deployment" ]]; then
+  echo "deployment not specified."
+  exit -1
+fi
+
+if [[ -z "$environment" ]]; then
+  echo "environment not specified."
+  exit -1
+fi
+
+if [[ -z "$play" ]]; then
+  echo "play not specified."
+  exit -1
+fi
+
+if [[ -z "$jenkins_admin_ec2_key" ]]; then
+  echo "jenkins_admin_ec2_key not specified."
+  exit -1
+fi
+
+if [[ -z "$jenkins_admin_configuration_secure_repo" ]]; then
+  echo "jenkins_admin_configuration_secure_repo not specified."
+  exit -1
+fi
+
+export PYTHONUNBUFFERED=1
+
+if [[ -z $configuration ]]; then
+  cd configuration
+  configuration=`git rev-parse HEAD`
+  cd ..
+fi
+
+if [[ -z $configuration_secure ]]; then
+  cd configuration-secure
+  configuration_secure=`git rev-parse HEAD`
+  cd ..
+fi
+
+base_params=""
+if [[ -n "$base_ami" ]]; then
+  base_params="-b $base_ami"
+fi
+
+blessed_params=""
+if [[ "$use_blessed" == "true" ]]; then
+  blessed_params="--blessed"
+fi
+
+cd configuration
+pip install -r requirements.txt
+
+cd util/vpc-tools/
+
+echo "$refs" > /var/tmp/$BUILD_ID-refs.yml
+cat /var/tmp/$BUILD_ID-refs.yml
+
+echo "$vars" > /var/tmp/$BUILD_ID-extra-vars.yml
+cat /var/tmp/$BUILD_ID-extra-vars.yml
+
+python -u abbey.py -p $play -t c1.medium  -d $deployment -e $environment -i /edx/var/jenkins/.ssh/id_rsa $base_params $blessed_params --vars /var/tmp/$BUILD_ID-extra-vars.yml --refs /var/tmp/$BUILD_ID-refs.yml -c $BUILD_NUMBER --configuration-version $configuration --configuration-secure-version $configuration_secure -k $jenkins_admin_ec2_key --configuration-secure-repo $jenkins_admin_configuration_secure_repo

util/vpc-tools/abbey.py

@@ -71,9 +71,6 @@ def parse_args():
                         help="path to extra var file", required=False)
     parser.add_argument('--refs', metavar="GIT_REFS_FILE",
                         help="path to a var file with app git refs", required=False)
-    parser.add_argument('-a', '--application', required=False,
-                        help="Application for subnet, defaults to admin",
-                        default="admin")
     parser.add_argument('--configuration-version', required=False,
                         help="configuration repo branch(no hashes)",
                         default="master")
@@ -85,9 +82,6 @@ def parse_args():
                         help="repo to use for the secure files")
     parser.add_argument('-c', '--cache-id', required=True,
                         help="unique id to use as part of cache prefix")
-    parser.add_argument('-b', '--base-ami', required=False,
-                        help="ami to use as a base ami",
-                        default="ami-0568456c")
     parser.add_argument('-i', '--identity', required=False,
                         help="path to identity file for pulling "
                              "down configuration-secure",
@@ -108,6 +102,22 @@ def parse_args():
                         default=5,
                         help="How long to delay message display from sqs "
                              "to ensure ordering")
+    parser.add_argument("--hipchat-room-id", required=False,
+                        default=None,
+                        help="The API ID of the Hipchat room to post"
+                             "status messages to")
+    parser.add_argument("--hipchat-api-token", required=False,
+                        default=None,
+                        help="The API token for Hipchat integration")
+
+    group = parser.add_mutually_exclusive_group()
+    group.add_argument('-b', '--base-ami', required=False,
+                        help="ami to use as a base ami",
+                        default="ami-0568456c")
+    group.add_argument('--blessed', action='store_true',
+                        help="Look up blessed ami for env-dep-play.",
+                        default=False)
+
     return parser.parse_args()
 
 
@@ -126,6 +136,21 @@ def get_instance_sec_group(vpc_id):
 
     return grp_details[0].id
 
+def get_blessed_ami():
+    images = ec2.get_all_images(
+        filters={
+            'tag:environment': args.environment,
+            'tag:deployment': args.deployment,
+            'tag:play': args.play,
+            'tag:blessed': True
+        }
+    )
+
+    if len(images) != 1:
+        raise Exception("ERROR: Expected only one blessed ami, got {}\n".format(
+            len(images)))
+
+    return images[0].id
 
 def create_instance_args():
     """
@@ -292,7 +317,7 @@ rm -rf $base_dir
         'security_group_ids': [security_group_id],
         'subnet_id': subnet_id,
         'key_name': args.keypair,
-        'image_id': args.base_ami,
+        'image_id': base_ami,
         'instance_type': args.instance_type,
         'instance_profile_name': args.role_name,
         'user_data': user_data,
@@ -448,7 +473,7 @@ def create_ami(instance_id, name, description):
                 img.add_tag("cache_id", args.cache_id)
                 time.sleep(AWS_API_WAIT_TIME)
                 for repo, ref in git_refs.items():
-                    key = "vars:{}".format(repo)
+                    key = "refs:{}".format(repo)
                     img.add_tag(key, ref)
                     time.sleep(AWS_API_WAIT_TIME)
                 break
@@ -466,7 +491,6 @@ def create_ami(instance_id, name, description):
 
     return image_id
 
-
 def launch_and_configure(ec2_args):
     """
     Creates an sqs queue, launches an ec2 instance,
@@ -556,6 +580,17 @@ def launch_and_configure(ec2_args):
 
     return run_summary, ami
 
+def send_hipchat_message(message):
+    #If hipchat is configured send the details to the specified room
+    if args.hipchat_api_token and args.hipchat_room_id:
+        import hipchat
+        try:
+            hipchat = hipchat.HipChat(token=args.hipchat_api_token)
+            hipchat.message_room(args.hipchat_room_id,'AbbeyNormal',
+               message)
+        except Exception as e:
+            print("Hipchat messaging resulted in an error: %s." % e)
+
 if __name__ == '__main__':
 
     args = parse_args()
@@ -597,6 +632,11 @@ if __name__ == '__main__':
         print 'You must be able to connect to sqs and ec2 to use this script'
         sys.exit(1)
 
+    if args.blessed:
+        base_ami = get_blessed_ami()
+    else:
+        base_ami = args.base_ami
+
     try:
         sqs_queue = None
         instance_id = None
@@ -620,6 +660,23 @@ if __name__ == '__main__':
                 print "{:<30} {:0>2.0f}:{:0>5.2f}".format(
                     run[0], run[1] / 60, run[1] % 60)
             print "AMI: {}".format(ami)
+
+            message = 'Finished baking AMI {image_id} for {environment} ' \
+              '{deployment} {play}.'.format(
+                    image_id=ami,
+                    environment=args.environment,
+                    deployment=args.deployment,
+                    play=args.play)
+
+            send_hipchat_message(message)
+    except Exception as e:
+        message = 'An error occurred building AMI for {environment} ' \
+            '{deployment} {play}.  The Exception was {exception}'.format(
+                environment=args.environment,
+                deployment=args.deployment,
+                play=args.play,
+                exception=repr(e))
+        send_hipchat_message(message)
     finally:
         print
         if not args.no_cleanup and not args.noop:

util/vpc-tools/requirements.txt

 boto
-docopt
+docopt
\ No newline at end of file
+python-simple-hipchat

vagrant/base/devstack/Vagrantfile

+Vagrant.require_version ">= 1.5.3"
+
 VAGRANTFILE_API_VERSION = "2"
 
 MEMORY = 2048
@@ -26,7 +28,9 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
   config.vm.network :forwarded_port, guest: 8000, host: 8000
   config.vm.network :forwarded_port, guest: 8001, host: 8001
   config.vm.network :forwarded_port, guest: 4567, host: 4567
+  config.ssh.insert_key = true
 
+  config.vm.synced_folder  ".", "/vagrant", disabled: true
   config.vm.synced_folder "#{edx_platform_mount_dir}", "/edx/app/edxapp/edx-platform", :create => true, nfs: true
   config.vm.synced_folder "#{forum_mount_dir}", "/edx/app/forum/cs_comments_service", :create => true, nfs: true
   config.vm.synced_folder "#{ora_mount_dir}", "/edx/app/ora/ora", :create => true, nfs: true
@@ -45,9 +49,13 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
     vb.customize ["modifyvm", :id, "--natdnshostresolver1", "on"]
   end
 
+  # Make LC_ALL default to en_US.UTF-8 instead of en_US.
+  # See: https://github.com/mitchellh/vagrant/issues/1188
+  config.vm.provision "shell", inline: 'echo \'LC_ALL="en_US.UTF-8"\' > /etc/default/locale'
+
   config.vm.provision :ansible do |ansible|
     ansible.playbook = "../../../playbooks/vagrant-devstack.yml"
-    ansible.inventory_path = "../../../playbooks/vagrant/inventory.ini"
-    ansible.verbose = "extra"
+    ansible.verbose = "vvvv"
+
   end
 end

vagrant/base/fullstack/Vagrantfile

+Vagrant.require_version ">= 1.5.3"
+
 VAGRANTFILE_API_VERSION = "2"
 
 MEMORY = 2048
@@ -6,7 +8,8 @@ CPU_COUNT = 2
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
   config.vm.box     = "precise64"
   config.vm.box_url = "http://files.vagrantup.com/precise64.box"
-
+  config.ssh.insert_key = true
+  config.vm.synced_folder  ".", "/vagrant", disabled: true
   config.vm.network :private_network, ip: "192.168.33.10"
 
   config.vm.provider :virtualbox do |vb|
@@ -20,10 +23,16 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
     vb.customize ["modifyvm", :id, "--natdnshostresolver1", "on"]
   end
 
+  # Make LC_ALL default to en_US.UTF-8 instead of en_US.
+  # See: https://github.com/mitchellh/vagrant/issues/1188
+  config.vm.provision "shell", inline: 'echo \'LC_ALL="en_US.UTF-8"\' > /etc/default/locale'
+
   config.vm.provision :ansible do |ansible|
     # point Vagrant at the location of your playbook you want to run
     ansible.playbook = "../../../playbooks/vagrant-fullstack.yml"
-    ansible.inventory_path = "../../../playbooks/vagrant/inventory.ini"
-    ansible.verbose = "extra"
+    # set extra-vars here instead of in the vagrant play so that
+    # they are written out to /edx/etc/server-vars.yml which can
+    # be used later when running ansible locally
+    ansible.verbose = "vvvv"
   end
 end

vagrant/release/devstack/Vagrantfile

+Vagrant.require_version ">= 1.5.3"
+
 VAGRANTFILE_API_VERSION = "2"
 
 MEMORY = 2048
@@ -18,7 +20,7 @@ cd /edx/app/edx_ansible/edx_ansible/playbooks
 # this can cause problems (e.g. looking for templates that no longer exist).
 /edx/bin/update configuration release
 
-ansible-playbook -i localhost, -c local vagrant-devstack.yml --tags=deploy -e configuration_version=release
+ansible-playbook -i localhost, -c local vagrant-devstack.yml -e configuration_version=release
 SCRIPT
 
 edx_platform_mount_dir = "edx-platform"
@@ -36,13 +38,16 @@ end
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
 
   # Creates an edX devstack VM from an official release
-  config.vm.box     = "himbasha-devstack"
-  config.vm.box_url = "http://files.edx.org/vagrant-images/20140325-himbasha-devstack.box"
+  config.vm.box     = "injera-devstack"
+  config.vm.synced_folder  ".", "/vagrant", disabled: true
+  config.vm.box_url = "http://files.edx.org/vagrant-images/20140418-injera-devstack.box"
 
   config.vm.network :private_network, ip: "192.168.33.10"
   config.vm.network :forwarded_port, guest: 8000, host: 8000
   config.vm.network :forwarded_port, guest: 8001, host: 8001
   config.vm.network :forwarded_port, guest: 4567, host: 4567
+  config.vm.network :forwarded_port, guest: 8765, host: 8765
+  config.ssh.insert_key = true
 
   # Enable X11 forwarding so we can interact with GUI applications
   if ENV['VAGRANT_X11']
@@ -62,6 +67,10 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
     vb.customize ["modifyvm", :id, "--natdnshostresolver1", "on"]
   end
 
+  # Use vagrant-vbguest plugin to make sure Guest Additions are in sync
+  config.vbguest.auto_reboot = true
+  config.vbguest.auto_update = true
+
   # Assume that the base box has the edx_ansible role installed
   # We can then tell the Vagrant instance to update itself.
   config.vm.provision "shell", inline: $script

vagrant/release/fullstack/Vagrantfile

+Vagrant.require_version ">= 1.5.3"
+
 VAGRANTFILE_API_VERSION = "2"
 
 MEMORY = 2048
@@ -6,8 +8,10 @@ CPU_COUNT = 2
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
 
   # Creates an edX fullstack VM from an official release
-  config.vm.box     = "himbasha-fullstack"
-  config.vm.box_url = "http://files.edx.org/vagrant-images/20140325-himbasha-fullstack.box"
+  config.vm.box     = "injera-fullstack"
+  config.vm.box_url = "http://files.edx.org/vagrant-images/20140418-injera-fullstack.box"
+  config.vm.synced_folder  ".", "/vagrant", disabled: true
+  config.ssh.insert_key = true
 
   config.vm.network :private_network, ip: "192.168.33.10"
   config.hostsupdater.aliases = ["preview.localhost"]