Okay, there's a list available for testing on the new
Mailman3/HyperKitty server :
test-mailm...@lists.fedoraproject.org
You can subscribe to it via the admin interface (called Postorius):
https://lists.fedoraproject.org/admin/lists/test-mailm...@lists.fedoraproject.org/
Please report any bug you
Hey folks,
I'm sorry to announce that I had to rollback the migration of
lists.fedorahosted.org to Mailman 3.
There's a missing feature again, that is heavily used by two lists on
this server, it's the header_filter_rules. It lets the admin decide on
header regexes that will set a different
Did you use an old subscription list? I have not been subscribed to @infra
for about a month and today I start receiving these from you guys.
Ah, yes, sorry, I did get an updated subscription list but it only
added new entries.
Performing the unsubscribe process again does not send me a
Might be an idea to send one when you start the migration as well :]
Just that we are not surprised or that we watch if one of our email doesn't
land
on the list.
Yeah, that would have been a good idea, but it's too late: your
message was processed by Mailman3 already ;-)
Performing the unsubscribe process again does not send me a confirmation
e-mail.
I looks like you're still subscribed, which unsubscribe process did you follow?
Thanks and sorry for the inconvenience.
Aurélien
Ooh, can we switch from gravatar to libravatar?
Will do, thanks :-)
A.
Hey guys, I'm currently demoingo Hyperkitty with this list !
Say Hi!
A.
Once you can implement upstream, do you plan to try again
with a patched version while we await an upstream point-release?
Yes, that's my plan. My RPM already carries a few patches that are not
released, and even still under review. I update them (and eventually
remove them :-) ) as they get
> Let's instead give really simple instructions for adding it. And make
> sure it happens on at least the big lists.
>
> Can we add it in cases where the footer isn't customized?
I'll check that.
OK I've sent the emails to the lists, they are obviously held for
moderation, could someone with the
> I know it's hard to estimate times, but perhaps we could look at
> migrating all of lists.fedorahosted.org (aside the ones that use
> filters and topics) first on the 16th, then start on the
> lists.fedoraproject.org ones after that? Or keeping a status on the
> wiki might be nice so people know
Hi people!
Since it's Friday evening, I just unilateraly decided to migrate all
the lists to Mailman3 without telling you anything in advance... Nah
just kidding :-)
However, I think the best time to migrate the rest of the lists would
be the week before Thanksgiving. That would give me some
Hey Martin,
> Our patch review list (anaconda-patches) has been migrated, but it
> looks like the new Mailman 3 archiver is eating leading whitespace, as
> can be seen for example here:
> https://lists.fedorahosted.org/archives/list/anaconda-patches%40lists.f
>
> On Tue, Dec 01, 2015 at 09:41:59AM -0500, Patrick Uiterwijk wrote:
> > We made these 404's when we found out that they were redirecting to
> > the wrong posts. Once all lists are moved to mailman, we will be
> > putting the old archives back, restoring all original links to their
> > original
> Right, all trac's on fedorahosted send email as:
>
> "Trac name" t...@fedorahosted.org
>
> and I think the name in "s has confused hyperkitty.
>
Very likely, it's probably using the last one it's seen as the display
name. Since the email address is the key, I'm not sure if we can do much
about
Hey team,
Next week I'll be going offline for 3 weeks (two of them being really off
the grid, I'm going to the European equivalent of the Burning Man
festival...), so I'd like to check with you what errors I've seen our
production Mailman3 instance do these last weeks.
I think that the main
> > How sensible is the data stored in the DB? Too much to be made public?
>
> Yeah, I wondered the same. Could we sanatize any user auth/account data
> and just make the raw posts of all the public lists available?
>
Hmm, There's the issue of people's email addresses, it could become a gold
mine
> Could we generate UUIDs for the imported mail? That would be incredibly
> valuable in my analysis _anyway_.
>
Hmm yes I could create the users in Mailman3 even if they never sent an
email in the new system. But I may have a better idea, here's what I could
do:
- get the old emails from
Hey folks,
Matt would like read access on HyperKitty's production database to collect
some statistics[1], and I wondered if we have a procedure for this kind of
request.
[1] https://fedorahosted.org/fedora-infrastructure/ticket/5070
Should it be done via a script that would be stored in our
Hello.
This is a known bug, it's been fixed already but the fix wasn't deployed. I
just patched the production code, is it working now?
Aurélien
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
> If we update them and need to back out would a downgrade work ok, or
> are their database changes, etc?
>
There are database changes, but I have upgrade and downgrade migration
scripts in the packages.
Aurélien
___
infrastructure mailing list
Hi!
There's been a lot of recent changes in the Mailman stack, including a new
feature that will let us migrate more lists. I'd like to update the
software stack on prod and keep it under observation for a few days (there
are apparently performance issues for some people).
This freeze break does
> +1 if you send a quick note to the list how we could perform the
downgrade :)
Sure, that would be:
# sudo -u mailman python34-alembic -c
/usr/lib/python3.4/site-packages/mailman/config/alembic.cfg downgrade -1
While the new packages are still installed, and then downgrade the RPMs.
A.
> +1 for me as well, although figuring out which page is causing the issue
> would
> be nice (maybe something for minimot?)
I believe it's the fulltext indexing process that causes these memory
feasts. In my understanding, it eats memory until the swap is full and it's
OOM-killed, and afterwards
Hey there,
Quick update on the Mailman3 migration. I have now migrated all lists to
the new mailman01 server (including fedorahosted lists). I've also migrated
the SpamAssassin configuration and database and it seems to be working fine.
I had to make a small tweak to the postfix configuration
> > > My next step is to download the old HTML archives and make them
> > > > available on mailman01 through Apache to preserve existing URLs in
> > > > the wild.
OK, I've migrated those files, setup the proper Apache directives, and
tested it.
As far as I know, we can remove the old servers
> I think thats fine. For some reason this change is pending on all
> machines tho, need to sort out why it's not mailman/smtp-mm only.
>
Hmm, that's strange, I only changed 'roles/base/files/postfix/
master.cf/master.cf.mailman', so it should only affect hosts in the
'mailman' group.
I also
Sorry for my late reply, yesterday was a national holiday in my country and
I was offline.
> I can post that blog post a few days before the migration?
> Or just publish it now?
I'd say publish it now, some people like to be warned way beforehand,
especially if they must change their custom
> ok. Have safe travels. ;)
>
Thanks!
> Oh, while I am looking at them... how about I go over the outstanding
> mailman3 bugs in trac we have?
>
> https://fedorahosted.org/fedora-infrastructure/ticket/1002
> "Enable syndication of fedora mailing lists"
>
> * This is an old ticket and we had
Hey folks!
I've been working on updating the Mailman production code. There are big
schema changes that I tried to optimize and finally came up with a solution
that will minimize unavailability.
I think I need a 1 hour window of planned outage. I'm at UTC+1 so I could
do it in my morning, while
> Mailed the announcement out. Thanks for writing that up. ;)
Thanks!
> Oh, one other list thing:
> https://pagure.io/fedora-infrastructure/issue/5478
> is waiting on a list rename before we do other changes.
> Can we schedule that sometime after the outage?
Yeah, that should be possible. I
Hey folks,
I have a big mailman update that I'd like to test on staging, and I think
that my testing would be more realisting if I had some production data on
the staging DB. I mostly need public data, I don't need the user accounts
or the private lists data for example.
I realize that I could
> Make a staging sync playbook. ;)
> Look at the ansible/playbooks/manual/staging-sync/koji.yml
>
Great, thanks! :-)
A.
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to
Done that, but now rbac-playbook says I'm not allowed to run :
manual/staging-sync/mailman.yml
Could someone add the ACL for me please?
Thanks!
Aurélien
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an
> Can you file an issue on this and @abompard in it so he knows to take a
> look?
>
FYI the issue is being handled here:
https://pagure.io/fedora-infrastructure/issue/5513
Aurélien
___
infrastructure mailing list --
Hey!
Last Friday I deployed a new version of the Mailman / Postorius /
HyperKitty stack on prod. There are a lot of improvements, but one of the
most visible (and maybe the main reason for writing those changes) is the
login system. Previously, we mainly relied on Mozilla Persona and FAS. As
you
> Thanks for the heads-up, I was wondering, do you have some order of
> magnitude of
> how many accounts we're talking about?
That's a little less than 2000 accounts (1840).
> Could it be possible to check how many of these people have a FAS account
> with
> the same email?
Hmm, I'm not sure
> Is that too far out?
>
This is fine. ;-)
A.
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/infrastructure@lists.fedoraproject.org
Hey people!
As you all know, Mozilla Persona is going down in the next few months. I've
spent the last weeks since Flock updating the Mailman UI code to use a
library that will allow us to support local accounts properly, on top of
external services accounts. I'm currently testing it in staging,
Hey folks,
I'd like to do some triage of the fedmsg issues currently open on Github,
then discuss with you what we should prioritize and decide on a roadmap.
Triage, first. I haven't had a chance to get to know fedmsg inimately
enough so I hope you'll correct me. Here is the list of open issues
Hey people,
I'm in a situation that I don't think is covered by the guidelines. Here's
the thing: RHEL/CentOS ships some python packages in their Python 2
version, but not for Python 3 since RHEL/CentOS does not ship Python 3.
Let's take the example of python-zope-interface. I need the python3
Hey Misha,
> I can not re-enable or change sending of mailing list mail to myself.
>
> https://lists.fedoraproject.org/admin/accounts/subscriptions
>
> Internal Server Error
I've managed to reproduce the error, it apparently happens when
someone has a lot of subscriptions (say, more than 15)
If nobody has an issue with the timeslot I chose, I'm going to post this to
devel-announce too.
A.
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
>
> Seems ok to me. Unfortunate that it takes so long to run, but such is life.
>
Yeah it's basically rewriting the entire email and thread tables...
I'll try to find a way to make it faster until next week, that would be a
bonus.
A.
___
FYI, I've reported this upstream:
https://gitlab.com/mailman/postorius/issues/205
A.
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
There will be an outage starting at 2017-08-04 21:00 UTC, which will last
approximately 15 hours.
To convert UTC to your local time, take a look at
https://fedoraproject.org/wiki/UTCHowto
or run:
date -d '2017-08-04 21:00 UTC'
Reason for outage: important HyperKitty database schema change
Hi!
>> While I was debugging settings not saving for Mailman, I found out
> >> that this was caused
> >> by the schema of the "template" table being incorrect.
> >>
> >> It had the following gem:
> >> password | timestamp without time zone
> >>
> >> I've just ran the following query to make it be
>
> Yes, I agree. If this can't be put off until a couple of weeks after
> GA, let's do it soon.
>
Thanks. Actually, it could be put off a couple weeks after GA. How many do
you think would be best?
A.
___
infrastructure mailing list --
>
> Are you thinking of something like the following (is it even possible?)?
> [...]
>
I hadn't thought of this "2-step" process, I'm not sure it's possible since
there are primary key type changes, but I'll think about it some more.
Thanks.
A.
___
Hey people,
Around 2 years ago, we (Pingou, Rahul, Vivek and me) started designing
and writing some code for Fresque, a package review server for Fedora.
The aim was to replace our current Bugzilla-based process.
However, stuff happened in the meantime that were higher priority and
Fresque
Hey folks!
I have a need for Python 3.5+ in EPEL7 (newest versions of Mailman 3
require it), so I tried rebuilding the Python 3.6 RPM as a
parallel-installable package by taking advantage of our %python3_other_*
macros. There's a lot of packages that need to be built in the right order
to get to
> Who is going to support it for CVEs and security issues? There's
> python 3.6 in software collections, although I'm not sure they get
> used in infra or not, at least it would have support for CVEs though.
>
That's a good question, I'd rather not do that support if possible
(although I guess I
Hey folks!
Jeremy and I have been working on a proposal to migrate fedmsg from our
current brokerless architecture to a broker-based architecture.
The overview and reasons for the migration are described on this page:
> I'm a little worried about Django. True, we have to maintain a version
> for mailman3, but it's rhel7/python3. Is this new app going to use that?
Actually, HyperKitty and Postorius are using Django on Python 2.7. The
Django version is 1.8 and it's pretty old now.
I would recommend against
> Within limits. It should be a version thats supported and gets at least
> security updates. Hopefully the one(s) in Fedora follow this.
Yeah it's 1.11 now which is LTS, since it'll be the last version to
support Python 2
> There are a few flask rest frameworks, but I have not much idea how
> It's nice to give the flexibility to clients by exposing both. I
> haven't seen a problem with topic matching in my experience so far.
While I like the idea of adding flexibility, it'll probably also be
harder on the debugging and maintenance side of things. We will keep
the ZeroMQ gateway for
Hey, sorry for the silence on this subject, I was experimenting with
deployment options.
So far, here's what I've come up with.
Npm has a command called "shrinkwrap" which will list all the installed
dependencies and their versions recursively and dump that in a file. It's
pretty much like "pip
> Basically you do this:
> Provides: bundled(bootstrap) = 3.0.1
> This way it is possible to search the collection of RPMs for all that
> contain versions of dependencies with known security issues.
>
That's neat, I could write a script that extracts the versions from the
npm-shrinkwrap file.
> I think this could work ok, but you might run into problems with updates
> if the versions shift around... but I guess as long as you re
> 'shrinkwrap' on updates it should work.
That's the plan, re-run shrinkwrap after each change.
> We don't have any way to track
> security issues for all
> I think doing it with a macro would be sweet.
Well, it wasn't so hard :
https://abompard.fedorapeople.org/misc/nodejs-npm-rpm-macros/
$ rpm -qp --provides build/fedora-hubs-0.0.1-7.fc27.noarch.rpm | head
Provides:
bundled(nodejs-abab) = 1.0.4
bundled(nodejs-accepts) = 1.3.4
Hey folks!
I would like to try and do the Fedora Hubs deployment in our Openshift
instance.
The thing is, I have never deployed anything in Openshift, much less using
our ansible playbooks.
Do you know of a documentation I could read up on to understand what our
`openshift/project`,
In the normal vm case, I have a couple questions:
- What will my URL be? https://hubs.stg.fedoraproject.org I guess?
- What's the Ipsilon instance I should register with? I used to register on
iddev.fedorainfracloud.org but I guess that's no good for staging
- I need the following passwords set
> >- What's the Ipsilon instance I should register with? I used to
> register
> >on iddev.fedorainfracloud.org but I guess that's no good for staging
>
> I'll let Patrick answer, but I believe this is going to be id.stg.fp.o for
> which
> the registration is different (ie: not
> Since deploying hubs is time sensitive, perhaps we should just initially
> do a staging on a normal vm and look at openshift down the road?
I would prefer the normal vm route for now. I'll look into deploying on
openshift when we decide to open Hubs to a wider range of teams.
Thanks!
Aurélien
> Well, the idea was that we have a admin user that can change schema and
> drop things and the like and the 'normal' user that the app runs with
> that cannot do those things. That way if the application is compromised,
> they can only do things the normal user could do, not dropping entire
>
>> https://github.com/noirbizarre/flask-restplus
Actually, I haven't tried that one. It seems pretty good (from the
docs), has anybody tried it?
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to
> Could this caching proxy just use EmpyDir (ie, only for the life of that
> pod) and just refresh when it restarts? If it really needs disk, might
> be better to do on a vm at this point.
Since it's just caching, I guess that would be sufficient, unless we
cycle the pod frequently. It would be
> Is there a list of changes in this new version?
>
Not exactly, there's a lot of fixes but very few new features (and nothing
very obvious for the user anyway).
> Has staging been updated ok?
>
Yes, it's been a couple weeks now, it works fine.
Thanks for the +1 folks!
A.
> > The "pdc-lite" options are attractive, across the board.
>
I know Django and Django-REST-Framework, and I've made a small contribution
to PDC a few months ago, so I may be of use if that's the path we choose.
Aurélien
___
infrastructure mailing
Hey! :-)
Since the beta freeze break may be longer, I'd like to make a bugfix update
to the Mailman & Postorius (admin UI) RPMs.
There's no ansible change, just a code update, it should all go smoothly.
The outage ticket is: https://pagure.io/fedora-infrastructure/issue/6762
I plan on doing it
Hey folks!
Pingou would like to announce the availability of mailing-lists on
lists.pagure.io with the 5.0 release. The following patch should add
the new domain to our mailing list server.
Affected services are the mailman server and the proxies.
Can I get a couple +1s?
A.
commit
> I've been playing around with openshift staging for the last few weeks
> and enabling some cool features. :)
Cool! I seem to remember that having persistent storage in our
Openshift instance was a difficult thing. I'm considering Openshift to
setup a PyPI caching proxy for us, and that will
> I like the CI test idea, a little bit like when we tests that the code base
> is pep8 compliant or the test coverage in above 90%. There are a couple of
> python packages that could be useful to help with that [0] [1].
>
> [0] https://github.com/dhatim/python-license-check
> [1]
> everything should be there for
> this with one exception: We really want to have some check in place for
> s2i so that it checks license, so we don't accidentally push out
> something thats not under a open source license. This doesn't need to be
> a blocker, but it would be great to get in
> Can I get +1s for the patch to the "dns" repo underneath?
> This should make "rabbitmq.fp.o" resolve to proxy101/proxy110 internally.
+1 ! :-)
A.
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email
> my overall feeling is that the
> risk of DoS should be one of the factor we take into account to make
> the decision but we should also consider how easy is it to use, how
> easy is it to maintain, how much effort is it to setup.
I agree, and since both burdens (daily maintenance and dealing
Hey y'all,
Fedora Messaging, the replacement for fedmsg, is using AMQP and thus a
message broker. The current clusters we have deployed in staging and
prod are only accessible from inside our infrastructure.
There are two needs for an externally accessible broker:
- the CentOS folks, who are
I'm assuming you're considering the solution where we have a single
broker and we make it publicly accessible (option 1).
> how easy would it be to turn off the possibility for external
> publisher to flood the broker ?
External clients won't publish anything, they'll be read-only (with a
few
Hey folks,
I'm migrating bugzilla2fedmsg to Fedora Messaging, and I thought it'd
be a good opportunity to migrate it to OpenShift also.
It only requires a connection to the STOMP brokers[0] on port 61612.
Is this available from inside OpenShift?
[0]
Hey Leigh!
- Project you are actively working regularly on
>
- Fedora Messaging
- Bodhi
> - Link to the Landing Page / Tracker / Source / Docs / anything relevant
> really that might help me get a handle on the project
>
Fedora Messaging:
- https://fedora-messaging.readthedocs.io/en/stable/
-
> My fear here is that someone will manually create something and we have
> to redeploy for some reason. They will be broken untll they manually
> remember to do what they did again. :(
>
It's not manual at all actually, the queues that should be declared are in
the app's configuration file,
>
> I've made a few changes to Jeremy's proposal, because I wanted to make use
> of the configuration file that the NRPE plugin already deploys.
> Attached is my proposed change to the Ansible repo.
>
> If that works I'll add more checks later on.
>
>
OK I deployed that config but now SELinux is
Alright, I now have quite a few checks for the RabbitMQ servers. Those
checks also give out interesting metrics like queue sizes, connections,
message throughput, etc.
Do we have something in place to use and display those metrics?
I'd like to look at what our common usage values and trends are
>
> What should I do? Create a SELinux module to allow that connection? Do we
> have a policy regarding that sort of module creation?
>
I see that the Copr role has a policy module in Ansible (both source and
binary), copies the binary to the destination and loads it with "semodule
-i". Can I do
Le jeu. 16 mai 2019 à 16:52, Jeremy Cline a écrit :
> Commit eae92f73e95 installed the nagios scripts[0] that are packaged for
> epel7-infra on the RabbitMQ hosts. This is an attempt to use them with
> nagios. I don't know anything about nagios though, so I have no idea if
> this is even close
>
> I'd like to try to implement this, and possibly add app-specific
> monitoring of queues afterwards.
>
I've made a few changes to Jeremy's proposal, because I wanted to make use
of the configuration file that the NRPE plugin already deploys.
Attached is my proposed change to the Ansible repo.
> Do you have a ansible patch here?
>
>
Yes, sorry, this is it.
diff --git a/roles/rabbit/queue/tasks/main.yml b/roles/rabbit/queue/tasks/main.yml
index 7259984f6..68ced3015 100644
--- a/roles/rabbit/queue/tasks/main.yml
+++ b/roles/rabbit/queue/tasks/main.yml
@@ -66,7 +66,7 @@
Hey folks,
The fedora-messaging consumers are currently subscribed to the amq.topic
exchange where they get all messages sent over AMQP. However, the bridges
that forward messages from fedmsg publish to the zmq.topic exchange,
therefore consumers need to subscribe to that one too to benefit from
> Patch looks good and you have a plan of action. +1
>
Thanks. I've pushed the Ansible change and moved the build from
epel7-infra-stg to epel7-infra, but now I need someone in sysadmin-main to
update the RPM and run the playbook on autosign01, since I don't have the
permissions for that.
I'm on
Hey folks,
Last Monday, before the freeze, we updated Robosignatory in prod with a few
new features, some of which could not be tested in staging as thoroughly as
we wanted to. As a result, the version currently in prod has issues with
the CoreOS artifacts. We've worked on that and our tests in
Hey folks,
I thought I'd make a summary of where I'm at. Here are the issues I found
and what I did about it:
- We ran into an Ansible issue that the PR
https://github.com/ansible/ansible/pull/50381 fixes. I've asked pingou to
patch batcave since it's basically a one-liner that will keep working
> I hit some permissions problems with the playbook that I can't figure
> out.
>
I found why, apparently when tags (rabbitmq tags, not ansible tags) aren't
specified with the rabbitmq_user ansible module, it clears them while I
thought it would leave them alone.
I've fixed it, it should work now.
> We have been having the cluster fall over for still unknown reasons,
> but this patch should at least help prevent them
>
I wish I understood what's actually going on, but +1 on those changes to
see if they help.
If they do we may consider reverting to the default when we upgrade to the
newer
> > I am not sure what to do.. I do not know how hard it would be to pull
>> basset out of the system and I do not have the time to update/fix/improve
>> Patrick's code on this. So I figured it would be good to get some feedback
>> on this.
>>
>
So, I guess the new AAA system doesn't have to
Hey folks,
To test authentication with the new AAA system I'd like to deploy a couple
very basic apps that do nothing but auth in staging's openshift. It
shouldn't touch any configuration besides the reverse proxies and the new
project in openshift. And it's staging only.
Is it OK?
Thanks.
> Sure, but if you could clean them up afterward that would be good.
Will do, thanks.
> +1 for me, though I'm not sure I follow the advantage of them over say
> fedocal,
> elections or the wiki.
I could check the features I'm testing independently, such as group
membership, agreement signing,
> I'm happy to announce that We have approved several folks into the
>> sysadmin-main group:
>>
>> mobrien - Mark O'Brien
>> abompard - Aurelien Bompard
>>
>> This is the core group of trusted folks that high level access to most
>> everything in fedo
Thanks for the update!
> Account system / noggin:
IPA is deployed, Noggin is deployed, FASJSON (the REST API) is
deployed, Ipsilon is deployed.
Yesterday we manage to have the elections app authenticate a random
user (that would be me) through Ipsilon (OIDC) as before, except
Ipsilon is now
> But yeah, I think if the fas sync is going to take a bit, perhaps we
> should disable the new account creation for now.
I've added the feature to disable registration yesterday, once it's
reviewed and merged I'll push it to the staging instance and disable
the registration. Thanks for pointing
> It doesn't? What about https://github.com/freeipa/freeipa-container ?
>
> My understanding is that it is an experimental implementation
> currently. FreeIPA does not necessarily work very well broken up into
> containers right now.
>
Yes, and running FreeIPA in a container requires the
Hey folks!
I have released and deployed FASJSON 1.1.0 to production a few minutes ago.
It's a small release, as you can see. I've also rebased the Openshift image
on F34 (it was on F32).
*Features:*
- Field mask support: request more or less object attributes with a HTTP
header (#144
1 - 100 of 161 matches
Mail list logo