Re: Freeze Break Request: update wildcard cert to new one

[Rick Elrod]

+1, lgtm assuming you grepped and found all of them (I did not check).

-re

On Thu, Feb 27, 2020 at 3:26 PM Stephen John Smoogen  wrote:
>
>
> This patch should make the changes to the appropriate files so that various 
> playbooks will use the newer certificate wildcard-2020
>
> --
> Stephen J Smoogen.
>
> ___
> infrastructure mailing list -- infrastructure@lists.fedoraproject.org
> To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: FBR: Add monitoring for website build fails

[Rick Elrod]

On Thu, Feb 27, 2020 at 4:31 AM Clement Verna  wrote:
>
>
>
> On Thu, 27 Feb 2020 at 06:53, Rick Elrod  wrote:
>>
>> I'd like to apply the following which does:
>> - Adds a script I wrote for reading a timestamp from a file on disk
>> and alerting if the timestamp within it is NOT within a particular
>> delta to now.
>> - Applies this to sundries01 and uses it to check
>> /srv/websites/getfedora.org/build.timestamp.txt which now gets
>> generated as part of the websites build.
>>
>> The purpose is because sometimes someone will commit something to the
>> websites repo which breaks the build, but because of how we have
>> things set up in openshift (cronjob), we don't get any kind of alert
>> when that happens.
>
>
> I think it would be better to find a way to monitor the cronjob in OpenShift 
> since that will be useful for other projects.
> Did you investigate that idea ?
>
>>
>>
>> Right now this sets the delta to 3 hours. In theory it should be 1,
>> but I figure let it try to build a few times before we start alerting.
>
>
> +1 but I would prefer a way to have notification on a failed cronjob :-)

I'd prefer that too (or probably in addition), but I don't know
anything about how to set up that monitoring right now.
It looks like there's an OpenShift API endpoint for monitoring crons:
https://major.io/2019/11/18/monitoring-openshift-cron-jobs/
but we'd need to set up an API key for nagios checks to use somehow.
Probably worth looking into, but for the time being I'd still like to
apply this FBR, as we are going to have some Outreachy activity
happening on websites soon and we need to know that the prod build
isn't broken.

-re

>
>>
>>
>> Rick
>>
>>
>> commit 657d050f6d699bc43973d968cd93d12131fca7f2
>> Author: Rick Elrod 
>> Date:   Thu Feb 27 05:29:24 2020 +
>>
>> nagios: Add script and check for checking that a timestamp within
>> a file is within a delta of now, and then use this for alerting when
>> websites stop building
>>
>> Signed-off-by: Rick Elrod 
>>
>> diff --git a/roles/nagios_client/files/scripts/check_timestamp_from_file
>> b/roles/nagios_client/files/scripts/check_timestamp_from_file
>> new file mode 100644
>> index 000..9064337
>> --- /dev/null
>> +++ b/roles/nagios_client/files/scripts/check_timestamp_from_file
>> @@ -0,0 +1,43 @@
>> +#!/usr/bin/env python
>> +
>> +# Takes a path to a file and a delta. The file must simply contain an epoch
>> +# timestamp. It can be an integer or a float, as can the delta.
>> +#
>> +# Alerts critical if (now - timestamp contained in file) > delta.
>> +#
>> +# Rick Elrod 
>> +# MIT
>> +
>> +import sys
>> +import time
>> +
>> +if len(sys.argv) != 3:
>> +print('UNKNOWN: Pass path to file and delta as parameters')
>> +sys.exit(3)
>> +
>> +filename = sys.argv[1]
>> +delta = float(sys.argv[2])
>> +
>> +timestamp = None
>> +
>> +try:
>> +with open(filename, 'r') as f:
>> +timestamp = float(f.read().strip())
>> +except Exception as e:
>> +print('UNKNOWN: Unable to open/read file path')
>> +sys.exit(3)
>> +
>> +difference = round(time.time() - timestamp, 2)
>> +if difference > delta:
>> +print(
>> +'CRITICAL: Timestamp in file (%.2f) exceeds delta (%.2f) by
>> %.2f seconds' % (
>> +timestamp,
>> +delta,
>> +difference - delta))
>> +sys.exit(2)
>> +
>> +print('OK: Timestamp in file (%.2f) is within delta (%.2f) of now, by
>> %.2f seconds' % (
>> +timestamp,
>> +delta,
>> +abs(difference - delta)))
>> +sys.exit(0)
>> diff --git a/roles/nagios_client/tasks/main.yml
>> b/roles/nagios_client/tasks/main.yml
>> index 2e5e0df..8e71a3b 100644
>> --- a/roles/nagios_client/tasks/main.yml
>> +++ b/roles/nagios_client/tasks/main.yml
>> @@ -47,6 +47,7 @@
>>- check_osbs_api.py
>>- check_ipa_replication
>>- check_redis_queue.sh
>> +  - check_timestamp_from_file
>>when: not inventory_hostname.startswith('noc')
>>tags:
>>- nagios_client
>> @@ -226,6 +227,16 @@
>>tags:
>>- nagios_client
>>
>> +- name: install nrpe checks for sundries/websites
>> +  template: src={{ item }}.j2 dest=/etc/nrpe.d/{{ item }} owner=root
>> group=root mode=0644
>> +  with_items:
>> +  - check_websites_buildtime.cfg
>> +  when: inventory_hostname.startswith('sundries')
>> +  n

FBR: Add monitoring for website build fails

[Rick Elrod]

I'd like to apply the following which does:
- Adds a script I wrote for reading a timestamp from a file on disk
and alerting if the timestamp within it is NOT within a particular
delta to now.
- Applies this to sundries01 and uses it to check
/srv/websites/getfedora.org/build.timestamp.txt which now gets
generated as part of the websites build.

The purpose is because sometimes someone will commit something to the
websites repo which breaks the build, but because of how we have
things set up in openshift (cronjob), we don't get any kind of alert
when that happens.

Right now this sets the delta to 3 hours. In theory it should be 1,
but I figure let it try to build a few times before we start alerting.

Rick


commit 657d050f6d699bc43973d968cd93d12131fca7f2
Author: Rick Elrod 
Date:   Thu Feb 27 05:29:24 2020 +

nagios: Add script and check for checking that a timestamp within
a file is within a delta of now, and then use this for alerting when
websites stop building

Signed-off-by: Rick Elrod 

diff --git a/roles/nagios_client/files/scripts/check_timestamp_from_file
b/roles/nagios_client/files/scripts/check_timestamp_from_file
new file mode 100644
index 000..9064337
--- /dev/null
+++ b/roles/nagios_client/files/scripts/check_timestamp_from_file
@@ -0,0 +1,43 @@
+#!/usr/bin/env python
+
+# Takes a path to a file and a delta. The file must simply contain an epoch
+# timestamp. It can be an integer or a float, as can the delta.
+#
+# Alerts critical if (now - timestamp contained in file) > delta.
+#
+# Rick Elrod 
+# MIT
+
+import sys
+import time
+
+if len(sys.argv) != 3:
+print('UNKNOWN: Pass path to file and delta as parameters')
+sys.exit(3)
+
+filename = sys.argv[1]
+delta = float(sys.argv[2])
+
+timestamp = None
+
+try:
+with open(filename, 'r') as f:
+timestamp = float(f.read().strip())
+except Exception as e:
+print('UNKNOWN: Unable to open/read file path')
+sys.exit(3)
+
+difference = round(time.time() - timestamp, 2)
+if difference > delta:
+print(
+'CRITICAL: Timestamp in file (%.2f) exceeds delta (%.2f) by
%.2f seconds' % (
+timestamp,
+delta,
+difference - delta))
+sys.exit(2)
+
+print('OK: Timestamp in file (%.2f) is within delta (%.2f) of now, by
%.2f seconds' % (
+timestamp,
+delta,
+abs(difference - delta)))
+sys.exit(0)
diff --git a/roles/nagios_client/tasks/main.yml
b/roles/nagios_client/tasks/main.yml
index 2e5e0df..8e71a3b 100644
--- a/roles/nagios_client/tasks/main.yml
+++ b/roles/nagios_client/tasks/main.yml
@@ -47,6 +47,7 @@
   - check_osbs_api.py
   - check_ipa_replication
   - check_redis_queue.sh
+  - check_timestamp_from_file
   when: not inventory_hostname.startswith('noc')
   tags:
   - nagios_client
@@ -226,6 +227,16 @@
   tags:
   - nagios_client

+- name: install nrpe checks for sundries/websites
+  template: src={{ item }}.j2 dest=/etc/nrpe.d/{{ item }} owner=root
group=root mode=0644
+  with_items:
+  - check_websites_buildtime.cfg
+  when: inventory_hostname.startswith('sundries')
+  notify:
+  - restart nrpe
+  tags:
+  - nagios_client
+
 - name: install nrpe config for the RabbitMQ checks
   template:
 src: "rabbitmq_args.ini.j2"
diff --git a/roles/nagios_client/templates/check_websites_buildtime.cfg.j2
b/roles/nagios_client/templates/check_websites_buildtime.cfg.j2
new file mode 100644
index 000..ff5639d
--- /dev/null
+++ b/roles/nagios_client/templates/check_websites_buildtime.cfg.j2
@@ -0,0 +1,2 @@
+# Alert if websites haven't been built in 3 hours
+command[check_websites_buildtime]={{ libdir
}}/nagios/plugins/check_timestamp_from_file
/srv/websites/getfedora.org/build.timestamp.txt 10800
diff --git a/roles/nagios_server/templates/nagios/services/websites.cfg.j2
b/roles/nagios_server/templates/nagios/services/websites.cfg.j2
index 85e8f8e..c8958d7 100644
--- a/roles/nagios_server/templates/nagios/services/websites.cfg.j2
+++ b/roles/nagios_server/templates/nagios/services/websites.cfg.j2
@@ -316,4 +316,14 @@ define service {
   use   ppc-secondarytemplate
 }

+## Auxillary to websites but necessary to make them happen
+
+define service {
+  host_name sundries01.phx2.fedoraproject.org
+  service_description   websites build happened recently
+  check_command check_by_nrpe!check_websites_buildtime
+  use   websitetemplate
+}
+
+
 {% endif %}
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: OpenShift-apps playbooks in the master.yml playbook

[Rick Elrod]

On 2019-11-18 06:59, Clement Verna wrote:
> Hey all,
> 
> I have just disabled the openshift-apps playbooks from running in the
> master playbook run (see
> https://infrastructure.fedoraproject.org/cgit/ansible.git/commit/master.yml?id=dccf42cd510703d6ddb5bb444aed7ce24ee1c334).

I'm -1 on this. Production apps should make use of git branches and
deploy from, say, a "production" branch. Then a deployment at any moment
wouldn't unexpectedly break an app.

Staging apps can do similar.

Basically anything that isn't just being tested/experimented with (which
should happen in communishift) can do similar.

> 
> The reason behind is that the openshift-apps playbook are written to
> trigger a new build and a new deployment of the application at each run,
> this means that every time the master.yml playbook is run we build a
> version of the application and deploy it.
> Since a few of our applications are using source-to-image to build the
> container directly from git it means that a master.yml run can deploy
> new code into production without the maintainer of that application
> being aware of it.
> 

Again, these s2i images should pull from a distinguished branch, then
this becomes a nonissue.

-re


> I wanted to raise awareness of this problem and ask the following
> questions.
> 
> Do we need to have the openshift-apps in the master.yml ? If yes how do
> we prevent the run from deploying unwanted changes in production ?
> 
> Thanks
> Clément
> 
> ___
> infrastructure mailing list -- infrastructure@lists.fedoraproject.org
> To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
> 


pEpkey.asc
Description: application/pgp-keys
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: [PATCH 2/2] bodhi-pungi: enable aarch64 and ppc64le for silverblue updates

[Rick Elrod]

+1

-re

On 2019-10-24 15:51, Mohan Boddu wrote:

+1 LGTM

On Thu, Oct 24, 2019 at 3:36 PM Dusty Mabe  wrote:


---
  roles/bodhi2/backend/templates/pungi.rpm.conf.j2 | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/bodhi2/backend/templates/pungi.rpm.conf.j2 
b/roles/bodhi2/backend/templates/pungi.rpm.conf.j2
index 28b524a10..640ddf058 100644
--- a/roles/bodhi2/backend/templates/pungi.rpm.conf.j2
+++ b/roles/bodhi2/backend/templates/pungi.rpm.conf.j2
@@ -193,8 +193,8 @@ ostree = {
  "ostree_ref": "fedora/[[ release.version_int 
]]/${basearch}/testing/silverblue",
  [% endif %]
  "tag_ref": False,
-"arches": ["x86_64"],
-"failable": ["x86_64"]
+"arches": ["x86_64", "ppc64le", "aarch64" ],
+"failable": ["x86_64", "ppc64le", "aarch64" ]
  },
  ]
  }
--
2.20.1
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: [PATCH 1/2] bodhi-pungi: F32 will be the next "branched"

[Rick Elrod]

+1 for the same reason.

-re

On 2019-10-24 16:23, Mohan Boddu wrote:

Since rawhide is not uses pungi, I think we are okay with this change.

+1 LGTM

On Thu, Oct 24, 2019 at 4:13 PM Mohan Boddu  wrote:


No, with rawhide gating we are using bodhi to push rawhide builds as
updates, I think it might call it and cause some issues.

On Thu, Oct 24, 2019 at 4:05 PM Dusty Mabe  wrote:




On 10/24/19 4:02 PM, Mohan Boddu wrote:

Just wondering, doesn't it affect rawhide composes, since rawhide is still 32?



IIUC the first time this will take any effect is when we start calling bodhi 
with '32'
as the number (i.e. after we have branched and rawhide is now 33).

Dusty


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: [PATCH] new-updates-sync: sync multiarch silverblue ostree content

[Rick Elrod]

+1 after the syntax fix I mentioned inline.

-re

On 2019-10-24 15:56, Dusty Mabe wrote:

---
  roles/bodhi2/backend/files/new-updates-sync | 10 ++
  1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/roles/bodhi2/backend/files/new-updates-sync 
b/roles/bodhi2/backend/files/new-updates-sync
index d08c89301..9ad7628b8 100755
--- a/roles/bodhi2/backend/files/new-updates-sync
+++ b/roles/bodhi2/backend/files/new-updates-sync
@@ -25,8 +25,9 @@ RELEASES = {'f31': {'topic': 'fedora',
  'modules': ['fedora', 'fedora-secondary'],
  'repos': {'updates': {
  'from': 'f31-updates',
-'ostrees': [{'ref': 
'fedora/31/x86_64/updates/silverblue',
- 'dest': OSTREEDEST}],
+'ostrees': [{'ref': 
'fedora/31/%(arch)s/updates/silverblue',
+ 'dest': OSTREEDEST,
+ 'arches': ['x86_64', 'ppc64le', 
'aarch64']},


I think this is missing another ] at the end before the comma (to match 
with the [ after 'ostrees':



  'to': [{'arches': ['x86_64', 'armhfp', 'aarch64', 
'source'],
  'dest': os.path.join(FEDORADEST, '31', 
'Everything')},
 {'arches': ['ppc64le', 's390x'],
@@ -34,8 +35,9 @@ RELEASES = {'f31': {'topic': 'fedora',
]},
'updates-testing': {
  'from': 'f31-updates-testing',
-'ostrees': [{'ref': 
'fedora/31/x86_64/testing/silverblue',
- 'dest': OSTREEDEST}],
+'ostrees': [{'ref': 
'fedora/31/%(arch)s/testing/silverblue',
+ 'dest': OSTREEDEST,
+ 'arches': ['x86_64', 'ppc64le', 
'aarch64']},


Same here.


  'to': [{'arches': ['x86_64', 'aarch64', 'armhfp', 
'source'],
  'dest': os.path.join(FEDORADEST, 'testing', 
'31', 'Everything')},
 {'arches': ['ppc64le', 's390x'],


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: Big Freeze Break Request: replicate db-koji01

[Rick Elrod]

+1 on #1

-re

On 2019-10-22 16:56, Stephen John Smoogen wrote:

On Tue, 22 Oct 2019 at 16:55, Mohan Boddu  wrote:


On Mon, Oct 21, 2019 at 2:48 PM Kevin Fenzi  wrote:


So, I got db-koji02 all setup and doing streaming replication from
db-koji01. It has no trouble keeping up.

The bad news is, it doesn't solve the backup problem.

* If I just do a backup on db-koji02 and don't have hot_standby_feedback
on, the backup fails because the primary (01) vacuums or otherwise drops
rows that the backup is trying to read.

* If I do a backup on db-koji02 with hot_standby_feedback enabled, the
backup fails due to a 30 second timeout in streaming delay. ie,
02: "hey, I am backing up these rows, keep them for me until I'm done"
01: "sure, no problem"
02: ...backs up... 30 seconds pass, still backing up...
02: woah, I am 30s behind in replication now due to this lock. 

Longer term the problem is really going to need to be solved in koji.
There's 2 tables that are gigantic: buildroot_listing (203GB) and tasks
(93GB). Those tables need to have lots of things inserting into them, so
backing them up will always slow things down. Hopefully they can use
partitioning or something and fix this upstream.

Possible solutions until they do:

1. I can try and increase max_standby_streaming_delay from 30s to say
90s. This might allow it enough time to copy things with all the locks.

+1


2. We could try breaking the replication, doing the backup on 02 and
reconnecting it. This may be difficult to automate and I worry that it
might not be consistent if we just disconnect.

3. We could just say that having a hot spare is ok for now and kick the
can down the road and not worry about backups.

Personally, I am willing to try 1 (will need more +1's for freeze
break), I don't really like 2 and 3 seems a bit scary, but I guess it
could be ok until after freeze.

Thoughts?

I prefer #1 compared to #2 and #3.


I think for the next week while Kevin is on vacation.. #1 is what we
should go with.


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: Big Freeze Break Request: replicate db-koji01

[Rick Elrod]

I'm +1 to this, I don't think we should be going without db backups 
especially at this point in the cycle. Happy to help with some of it as 
well.


Rick

On 2019-10-16 18:35, Kevin Fenzi wrote:

Greetings folks.

As you may know, currently database backups on db-koji01 are causing
very heavy load, disrupting our users builds (
https://pagure.io/fedora-infrastructure/issue/8292 )
so, they are currently disabled.

However, not having current backups is not a good thing, IMHO.

So, I am considering the idea of adding a db-koji02 vm (also rhel7 using
the same postgres version that db-koji01 is) and enabling streaming
replication from db-koji01 -> db-koji02 and then once thats working, run
the database backups on db-koji02.

It turns out this doesn't require that many changes on db-koji01:
* adding a replication user
* Setting 3 new lines of postgresql config and restarting:
wal_level = 'hot_standby'
max_wal_senders = 10
wal_keep_segments = 100
(May need to adjust senders and keep segments)

All the other changes are on db-koji02:
* create/setup the vm
* run pg_basebackup to pull all the current data from 01
* setup postgresql.conf and recovery.conf files
* start server and confirm it keeps up with 01
* run pg_dump and confirm it keeps up with 01

This is, of course a really big change in a freeze to a criticial
service, so I'd like to get thoughts from others about it.

Should we wait until after freeze and do without backups until then
(note, that we have never had to restore this db from backups in the
past, although we have dumped/restored it to move to newer postgres
versions)?

Is there something else we can do thats easier to mitigate the issues
right now?

Thoughts? ideas? Rotten fruit?

kevin


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: Freeze break request: add registry-no-cdn version3

[Rick Elrod]

And the next issue was indeed found. Thanks to otaylor for pointing out 
my logic fail, and apologies to nirik for breaking his already correct 
logic.


-1 on this version because I am dumb.

-re

On 2019-10-15 14:56, ke...@scrye.com wrote:

Cast aside all other versions! This is it!
(until the next issue is found)
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: [PATCH] proxies: add registry-no-cdn in a better/simplier way

[Rick Elrod]

+1 to this version of it, with the removal of the /'s in the regex which 
I think Apache would take literally.


If we want to be pedantic, then escape the .'s in the regex with a \, 
but in this case it doesn't matter much.


-re


On 2019-10-15 14:19, ke...@scrye.com wrote:

From: Kevin Fenzi 

This version is just two lines. Adding a host alias to registry so it uses the 
same
vhost there, and then checking for the hostname in the rewrite.

Signed-off-by: Kevin Fenzi 
---
  playbooks/include/proxies-websites.yml  | 2 +-
  .../httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf | 1 +
  2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/playbooks/include/proxies-websites.yml 
b/playbooks/include/proxies-websites.yml
index 8dd1740..c87677f 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -666,7 +666,7 @@
  
- role: httpd/website

  site_name: registry.fedoraproject.org
-server_aliases: [registry.stg.fedoraproject.org]
+server_aliases: [registry.stg.fedoraproject.org 
registry-no-cdn.fedoraproject.org]
  sslonly: true
  cert_name: "{{wildcard_cert_name}}"
  
diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf

index 8a97f39..9bc9eba 100644
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf
@@ -6,6 +6,7 @@ ProxyPreserveHost On
  
  {% if env == "production" %}

  RewriteCond %{HTTP:VIA} !cdn77
+RewriteCond %{SERVER_NAME} !/^registry-no-cdn.fedoraproject.org$/
  RewriteCond %{REQUEST_METHOD} !^(PATCH|POST|PUT|DELETE|HEAD)$
  RewriteRule ^/v2/(.*)/blobs/([a-zA-Z0-9:]*) 
https://cdn.registry.fedoraproject.org/v2/$1/blobs/$2 [R]
  {% endif %}


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: Freeze Break Request: update openssl on proxy servers

[Rick Elrod]

+1 here

-re

On 9/17/19 1:46 PM, Kevin Fenzi wrote:

Greetings.

I'd like to apply:
https://bodhi.fedoraproject.org/updates/FEDORA-2019-d51641f152

to our proxy servers and restart httpd on them.

This is to fix:

https://pagure.io/fedora-infrastructure/issue/8173
https://bugzilla.redhat.com/show_bug.cgi?id=1737471

(basically newer podman (in f31+) cannot pull images from our registry
due to a openssl bug.

Id like to get this out today since beta went out today and people are
going to start trying to use it. If I don't get enough +1's I'll just
apply it tomorrow after freeze.

kevin


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: Freeze Break Request: Fix typo in bodhi status variable

[Rick Elrod]

+1

-re

On 9/9/19 2:34 PM, Kevin Fenzi wrote:

Greetings.

We have a variable in:
vars/all/FedoraBranchedBodhi.yaml

thats used in our bodhi config to set the proper policies.
The template uses 'predeta' and 'postbeta'... but the variable was
updated to 'preBeta', which isn't going to work.

I'd like to apply the following and run the bodhi backend playbook:

diff --git a/vars/all/FedoraBranchedBodhi.yaml
b/vars/all/FedoraBranchedBodhi.yaml
index 91f82f2..f0cca9a 100644
--- a/vars/all/FedoraBranchedBodhi.yaml
+++ b/vars/all/FedoraBranchedBodhi.yaml
@@ -1,2 +1,2 @@
-#options are: preBeta, postBeta, current
-FedoraBranchedBodhi: preBeta
+#options are: prebeta, postbeta, current
+FedoraBranchedBodhi: prebeta

kevin


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: Freeze break request: update registry.redhat.io ip

[Rick Elrod]

+1

-re

On 9/9/19 2:06 PM, Kevin Fenzi wrote:

diff --git a/roles/hosts/files/os-hosts b/roles/hosts/files/os-hosts
index e9dc0a2..3c283e3 100644
--- a/roles/hosts/files/os-hosts
+++ b/roles/hosts/files/os-hosts
@@ -1,4 +1,4 @@
  127.0.0.1   localhost localhost.localdomain localhost4
localhost4.localdomain4
  ::1 localhost localhost.localdomain localhost6
localhost6.localdomain6
  104.112.85.238  registry.access.redhat.com
-104.69.74.100   registry.redhat.io
+184.86.192.77   registry.redhat.io

This should fix https://pagure.io/fedora-infrastructure/issue/8180

+1s?

kevin


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: [PATCH] ipsilon: add aws-copr group to ipsilon for aws access.

[Rick Elrod]

+1

-re

On 9/3/19 7:59 PM, Kevin Fenzi wrote:

Signed-off-by: Kevin Fenzi 
---
  roles/ipsilon/files/infofas.py | 1 +
  1 file changed, 1 insertion(+)

diff --git a/roles/ipsilon/files/infofas.py b/roles/ipsilon/files/infofas.py
index 2b59000..5454edf 100644
--- a/roles/ipsilon/files/infofas.py
+++ b/roles/ipsilon/files/infofas.py
@@ -49,6 +49,7 @@ aws_groups = {
  'aws-cloud-poc': 'arn:aws:iam::125523088429:role/aws-cloud-poc',
  'aws-infra': 'arn:aws:iam::125523088429:role/aws-infra',
  'aws-docs': 'arn:aws:iam::125523088429:role/aws-docs',
+'aws-copr': 'arn:aws:iam::125523088429:role/aws-copr',
  }
  
  


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: FBR: Sunset infinote

[Rick Elrod]

+1 thanks for working on this.

-re

On 9/3/19 3:10 PM, Clement Verna wrote:

Hi all,

The attached patch remove infinote from ansible. I would like to apply 
this then delete the virtual host and finally the run the nagios 
playbook so that we don't monitor this service anymore.


Content was backed up here --> 
https://infrastructure.fedoraproject.org/infra/retired/infinote.fedoraproject.org/infinote/. 



Once all done, I ll communicate that the service was retired on the 
different lists the sunset was advertised.


+1s ?

Thanks

___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: [PATCH] robosignatory: add f31/f32 infra tags and f31-gnome side tag to be signed.

[Rick Elrod]

+1 here.

-re

On 9/3/19 1:30 PM, Kevin Fenzi wrote:

Signed-off-by: Kevin Fenzi 
---
  roles/robosignatory/files/robosignatory.production.py | 18 ++
  1 file changed, 18 insertions(+)

diff --git a/roles/robosignatory/files/robosignatory.production.py 
b/roles/robosignatory/files/robosignatory.production.py
index 2d7013b..e2cbc3d 100644
--- a/roles/robosignatory/files/robosignatory.production.py
+++ b/roles/robosignatory/files/robosignatory.production.py
@@ -50,6 +50,12 @@ config = {
  "keyid": "3c3359c4"
  },
  {
+"from": "f31-gnome",
+"to": "f31-gnome",
+"key": "fedora-31",
+"keyid": "3c3359c4"
+},
+{
  "from": "f31-python",
  "to": "f31-python",
  "key": "fedora-31",
@@ -98,6 +104,18 @@ config = {
  "key": "fedora-infra",
  "keyid": "47dd8ef9"
  },
+{
+"from": "f31-infra-candidate",
+"to": "f31-infra-stg",
+"key": "fedora-infra",
+"keyid": "47dd8ef9"
+},
+{
+"from": "f32-infra-candidate",
+"to": "f32-infra-stg",
+"key": "fedora-infra",
+"keyid": "47dd8ef9"
+},
  
  # Gated coreos-pool tag

  {


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: Freeze break request: h2 testing on rawhide

[Rick Elrod]

On 8/30/19 12:21 PM, Kevin Fenzi wrote:


Can I get some +1s for this plan?


+1, easy to back out if it breaks.

Rick
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: [[FBR] Freeze Break Request: ] dns: Actually drop the limit on the group we defined in the last commit.

[Rick Elrod]

+1 here too.


On 4/30/19 4:41 PM, ke...@scrye.com wrote:

From: Kevin Fenzi 

Signed-off-by: Kevin Fenzi 
---
  roles/dns/files/named.conf | 4 
  1 file changed, 4 insertions(+)

diff --git a/roles/dns/files/named.conf b/roles/dns/files/named.conf
index c13d65e..e210088 100644
--- a/roles/dns/files/named.conf
+++ b/roles/dns/files/named.conf
@@ -574,6 +574,10 @@ view "RDU2" {
  view "NA" {
  match-clients { US; CA; MX; };
  recursion no;
+// no rate-limit on internal requests
+rate-limit {
+ exempt-clients { ns_redhat; };
+};
  zone "fedoraproject.org" {
  type master;
  file "/var/named/master/built/NA/fedoraproject.org.signed";


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: [[FBR] Freeze Break Request: ] dns: add 2 rh nameservers that make a lot of legit queries against our dns.

[Rick Elrod]

+1

-re

On 4/30/19 4:36 PM, ke...@scrye.com wrote:

From: Kevin Fenzi 

Signed-off-by: Kevin Fenzi 
---
  roles/dns/files/named.conf | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/dns/files/named.conf b/roles/dns/files/named.conf
index df539bf..c13d65e 100644
--- a/roles/dns/files/named.conf
+++ b/roles/dns/files/named.conf
@@ -20,7 +20,7 @@ acl "everyone-v4" { 0.0.0.0/0;  };
  acl "everyone-v6" { ::0/0; };
  acl "everyone" { 0.0.0.0/0; ::0/0; };
  //
-acl "ns_redhat" { 66.187.233.210; 209.132.183.2; 66.187.229.10; };
+acl "ns_redhat" { 66.187.233.210; 209.132.183.22; 209.132.183.30; 
209.132.183.2; 66.187.229.10; };
  //
  acl "phx2net" { 10.4.124.128/25; 10.5.78.0/24; 10.5.79.0/24; 10.5.125.0/24; 
10.5.126.0/24; 10.5.127.0/24; 10.5.128.0/24; 10.5.129.0/24; 10.5.130.0/24; 10.16.0.0/24; 
};
  acl "rdu2net" { 172.31.1.0/24; 172.31.2.0/24; };


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: Heads-up: Deleting fas3_server role from ansible

[Rick Elrod]

+1, I think you can also delete inventory/host_vars/fas3* and related 
playbooks.


-re

On 4/19/19 10:13 AM, Clement Verna wrote:

Hi all,

I ll be deleting the fas3_server role from our ansible repository
since it is currently not used and we are moving away from FAS.

See the file diff below.

Please let me know, if for any reason we should keep this role.

Thanks
Clément

---
  roles/fas3_server/files/accounts.conf  |  31 
  roles/fas3_server/files/copr.repo  |   8 -
  roles/fas3_server/tasks/main.yml   |  55 --
  roles/fas3_server/templates/production.ini | 198 -
  4 files changed, 292 deletions(-)
  delete mode 100644 roles/fas3_server/files/accounts.conf
  delete mode 100644 roles/fas3_server/files/copr.repo
  delete mode 100644 roles/fas3_server/tasks/main.yml
  delete mode 100644 roles/fas3_server/templates/production.ini
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: Heads-up: Deleting graphite role from ansible

[Rick Elrod]

+1, this was an experiment I led. Grafana/graphite is pretty and I'd 
love to have pretty dashboards to get various views into our 
infrastructure, but I never got around to setting it up beyond just 
dumping our collectd stats into it. It's something I'd like to perhaps 
revisit down the road some day, but it isn't likely to be any time soon.


+1 to delete it.

-re

On 4/19/19 10:17 AM, Clement Verna wrote:

Hi all,

I ll be deleting the graphite role from our ansible repository
since it is currently not used.

See the file diff below.

Please let me know, if for any reason we should keep this role.

Thanks
Clément

---
  .../fedmsg2statsd/files/cabal-install.repo|   7 -
  .../fedmsg2statsd/files/fedmsg2statsd.service |  15 --
  .../graphite/fedmsg2statsd/handlers/main.yml  |   3 -
  roles/graphite/fedmsg2statsd/tasks/main.yml   |  57 -
  roles/graphite/grafana/files/grafana.repo |   9 -
  roles/graphite/grafana/files/grafana.service  |  23 --
  roles/graphite/grafana/handlers/main.yml  |   3 -
  roles/graphite/grafana/tasks/main.yml |  54 -
  roles/graphite/grafana/templates/grafana.conf |  28 ---
  roles/graphite/graphite/tasks/main.yml|  48 
  .../graphite/templates/graphite-web.conf  |  45 
  .../graphite/templates/local_settings.py  | 212 --
  roles/graphite/statsd/tasks/main.yml  |  14 --
  13 files changed, 518 deletions(-)
  delete mode 100644 roles/graphite/fedmsg2statsd/files/cabal-install.repo
  delete mode 100644 roles/graphite/fedmsg2statsd/files/fedmsg2statsd.service
  delete mode 100644 roles/graphite/fedmsg2statsd/handlers/main.yml
  delete mode 100644 roles/graphite/fedmsg2statsd/tasks/main.yml
  delete mode 100644 roles/graphite/grafana/files/grafana.repo
  delete mode 100644 roles/graphite/grafana/files/grafana.service
  delete mode 100644 roles/graphite/grafana/handlers/main.yml
  delete mode 100644 roles/graphite/grafana/tasks/main.yml
  delete mode 100644 roles/graphite/grafana/templates/grafana.conf
  delete mode 100644 roles/graphite/graphite/tasks/main.yml
  delete mode 100644 roles/graphite/graphite/templates/graphite-web.conf
  delete mode 100644 roles/graphite/graphite/templates/local_settings.py
  delete mode 100644 roles/graphite/statsd/tasks/main.yml
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: FBR: Push a fix to clean_amis.py in fedimg box

[Rick Elrod]

+1

-re

On 3/27/19 5:57 AM, Sayan Chowdhury wrote:

I need to push a fix to run the clean_amis script. The diff is as follows:

diff --git a/roles/fedimg/files/clean-amis.py b/roles/fedimg/files/clean-amis.py
index d0a491824..8e8cfff91 100644
--- a/roles/fedimg/files/clean-amis.py
+++ b/roles/fedimg/files/clean-amis.py
@@ -116,7 +116,7 @@ def get_page(page, delta, topic, start=None, end=None):
  return resp.json()


-def _get_two_week_atomic_released_compose_id(delta, start=None, end=None):
+def _get_two_week_released_atomic_compose_id(delta, start=None, end=None):
  """ Returns the release compose ids for last n days """

  topic = "org.fedoraproject.prod.releng.atomic.twoweek.complete"
@@ -136,7 +136,7 @@ def
_get_two_week_atomic_released_compose_id(delta, start=None, end=None):
  for msg in messages:
  # This is to support the older-format fedmsg messages
  if "atomic_raw" in msg:
-released_atomic_compose_ids.append(["atomic_raw"]["compose_id"])
+released_atomic_compose_ids.append(msg["atomic_raw"]["compose_id"])
  # We are just trying here multiple archs to get the compose id
  elif "aarch64" in msg:
  released_atomic_compose_ids.append(
@@ -186,7 +186,7 @@ def _get_nightly_amis_nd(delta, start=None, end=None):

  # Sometimes the compose label is None
  # and they can be blindly put in for deletion
-if compose_label is None:
+if not compose_label:
  amis.append((compose_id, ami_id, region))

  if compose_id in released_atomic_compose_ids:
@@ -209,7 +209,7 @@ def _get_nightly_amis_nd(delta, start=None, end=None):
  def delete_amis_nd(deletetimestamp, dry_run=False):
  """ Delete the give list of nightly AMIs

-:args deletetimestamp: the timestamp for the delete
+:args deletetimestamp: the timestamp for the delete
  :args dry_run: dry run the flow
  """
  log.info("Deleting AMIs")

The PR to this diff is merged into releng repo[1].

+1s

[1] https://pagure.io/releng/pull-request/8193#request_diff



___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: Freeze Break Request: reinstall buildvm-ppc64le-01/02 to power9 hw

[Rick Elrod]

+1 with saving the old ones off (and probably keeping them around until 
after freeze so we can revert if we notice something wrong but not right 
away).


-re

On 3/26/19 4:43 PM, Kevin Fenzi wrote:

I'd like to reinstall buildvm-ppc64le-01 and 02 on power9 hardware.

This should allow us to stop the crazy things we have had to do on the
current ones (running on power8) which includes:

* downgrading qemu
* downgrading libfdt
* downgrading the kernel and booting it and removing all other kernels
* disabling security updates because we don't want to mess up the above.

It should take only a few minutes and I will save the old vm's so we can
back out to them if we have to. (Although I need to re-downgrade qemu on
them because it was upgraded the other day when I upgraded libseccomp).

kevin


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: [FBR ] update-fullfiletimelist: make new-updates-sync use the fedora-secondary lock file

[Rick Elrod]

+1

-re

On 3/19/19 6:48 PM, ke...@scrye.com wrote:

From: Kevin Fenzi 

Currently update-fullfiletimelist is called from 4 machines:
* rawhide-composer: after rawhide compose
* branched-composer: after branched compose
* secondary01: in a cron every hour updating only /pub/alt as it can change 
anytime.
* bodhi-backend01: after ever updates sync that has content synced

We need bodhi-backend01 to use the same lock as rawhide/branched composers 
since they
update the same modules and we don't want them to step on each other.

Signed-off-by: Kevin Fenzi 
---
  roles/bodhi2/backend/files/new-updates-sync | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/bodhi2/backend/files/new-updates-sync 
b/roles/bodhi2/backend/files/new-updates-sync
index 0fa893b..7d6e456 100755
--- a/roles/bodhi2/backend/files/new-updates-sync
+++ b/roles/bodhi2/backend/files/new-updates-sync
@@ -234,7 +234,7 @@ def update_fullfilelist(modules):
  logger.info('No filelists to update')
  return
  cmd = ['/usr/local/bin/update-fullfiletimelist', '-l',
-   '/tmp/update-fullfiletimelist.lock', '-t', '/pub']
+   '/pub/fedora-secondary/update-fullfiletimelist.lock', '-t', '/pub']
  cmd.extend(modules)
  run_command(cmd)
  


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: FBR for Alessandro Lorenzi for nagios certgetter change.

[Rick Elrod]

+1 but note that this will need to be added to tasks/main.yml too so it 
gets copied over.


-re

On 3/20/19 7:56 AM, Stephen John Smoogen wrote:

I have reviewed this and will sponsor it.

-- Forwarded message -
From: Alessandro Lorenzi 
Date: Sat, 16 Mar 2019 at 17:24
Subject: [fedora-infrastructure] Issue #7635: Add monitoring for httpd
on certgetter
To: 



neron added a new comment to an issue you are following:
``
Hi,

first patch in fedora-infrastructure!



```
 From 191cd95874e5f2f0141032cc211f2b405255df6d Mon Sep 17 00:00:00 2001
From: Alessandro Lorenzi 
Date: Sat, 16 Mar 2019 22:10:12 +0100
Subject: [PATCH] Monitoring: add service certgetter http

Refs: #7635
---
  roles/nagios_server/files/nagios/services/certgetter.cfg | 6 ++
  1 file changed, 6 insertions(+)
  create mode 100644 roles/nagios_server/files/nagios/services/certgetter.cfg

diff --git a/roles/nagios_server/files/nagios/services/certgetter.cfg
b/roles/nagios_server/files/nagios/services/certgetter.cfg
new file mode 100644
index 0..2b143ed23
--- /dev/null
+++ b/roles/nagios_server/files/nagios/services/certgetter.cfg
@@ -0,0 +1,6 @@
+define service {
+  host_name certgetter01.phx2.fedoraproject.org
+  service_description   certgetter-http
+  check_command check_http!certgetter01.phx2.fedoraproject.org
+  use   defaulttemplate
+}
--
2.17.1

```
``

To reply, visit the link below or just reply to this email
https://pagure.io/fedora-infrastructure/issue/7635



___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: FBR: Add nfs-server/remove ipv6-test

[Rick Elrod]

+1

-re

On 3/20/19 10:02 AM, Stephen John Smoogen wrote:

This will bring 45drives box ready for testing and will remove
ipv6-test from ansible.

I will need to run the noc.yml after this to remove ipv6-test from nagios.



___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: "FBR: To update python3-productmd on compose-x86-01.phx2.fp.o"

[Rick Elrod]

+1

-re

On 3/20/19 8:15 AM, Mohan Boddu wrote:

The recent RC compose failed due to:

ValueError: Image: Field 'type' has invalid value: vmdk

Support for vmdk was added in python3-productmd-1.21-1.fc29 version. 
Once updated, this issue should be fixed.


Thanks.

___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: Request for comments: mediawiki-FedoraBadges direct db query

[Rick Elrod]

On 3/20/19 9:48 AM, Stephen John Smoogen wrote:

On Wed, 20 Mar 2019 at 09:43, Pierre-Yves Chibon  wrote:



Sounds fine to me :)
As a ticket been opened upstream so it's not lost that this API needs
optimization?



To this particular one, no. I went and looked at the open issues and
saw several 'tahrir is slow' so figured it might be caught up already
in those.



Yeah, exactly this. I think the problems aren't specific to this 
particular endpoint. We've known (or at least I've known) about the 
slowness on this endpoint since the start of Tahrir's development, but I 
think it affects some other endpoints as well (as suggested by the 
tickets smooge referred to). I tried for a while to track it down a few 
years ago, but never did.


R.
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: Request for comments: mediawiki-FedoraBadges direct db query

[Rick Elrod]

On 3/20/19 9:42 AM, Clement Verna wrote:

On Wed, 20 Mar 2019 at 14:27, Rick Elrod  wrote:


Hi all,

Tahrir is slow, and the endpoint that mediawiki-FedoraBadges uses to get
its badge count and badge assertion data from takes about 35 seconds per
request.


Do we have an idea what makes Tahrir so slow ?


Way back when Tahrir was more actively developed, I tried to look into 
this some. From what I remember, it's just generating super inefficient 
queries, and lots of them. I recall the ORM it was using loves to 
generate queries that exhibit the N+1 query problem. When the N queries 
are inefficient ones (that might also generate more queries each), the 
result is slowness.


But that might have changed, and I haven't touched the Tahrir codebase 
in years. As smooge said, there are a number of Tahrir-upstream bugs 
that mention it being slow all around, so I don't think this is specific 
to the endpoint I'm using. I think this is just where we end up seeing 
it fairly often because of wiki userpages.


Rick
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Request for comments: mediawiki-FedoraBadges direct db query

[Rick Elrod]

Hi all,

Tahrir is slow, and the endpoint that mediawiki-FedoraBadges uses to get 
its badge count and badge assertion data from takes about 35 seconds per 
request.


As a result, if a user enables both badge count and badge images on a 
user page, the two requests combined take well over a minute. This 
results in mediawiki often bombing the request and rendering an ugly 
error in place of badges.


We get tickets/support requests on this occasionally as well:
- https://pagure.io/fedora-infrastructure/issue/7650

Some quick testing shows that the queries I care about for the 
mediawiki-FedoraBadges plugin take about 70ms to run (in prod). 
Incurring a 35 second penalty for that seems *crazy* to me.


As an alternative, I'd like to propose making a tahrir-readonly user, 
and modifying the mediawiki-FedoraBadges plugin to query the badges 
database directly.


I played around and got it working in staging, the process was something 
like:


- Create tahrir-readonly postgres user
- Grant it readonly perms on the tahrir tables, and connect and usage perms.
- Modify the mw plugin
- Install php-pgsql on wiki01.stg so it can actually connect

After that it seems to work fine. I triggered a cache purge of all wiki 
pages on stg as well (but on prod, I'd probably just let the cache 
naturally expire). Pages with badges load almost instantly now (granted 
the stg data is way less than prod, but still).


I'm looking for comments because I don't know if there's anything 
security-wise I'm overlooking in doing this. At a quick glance, it seems 
fine -- the new pg user is readonly and very few people have access to 
LocalSettings.php where the connect info would be stored. But I might 
well be missing something and want to be safe.


Thoughts?

Rick
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

FBR: make iot.fp.o live

[Rick Elrod]

This has been in stg for a while, and I have been asked to make it live.

This FBR is for permission to commit this and run the proxy playbook on 
all proxies.


Rick



commit fe044fc717517d01211e1995ff9778b7b7906fe4
Author: Rick Elrod 
Date:   Tue Mar 19 16:59:54 2019 +

[fedora-web/iot] make it live

Signed-off-by: Rick Elrod 

diff --git a/playbooks/include/proxies-fedora-web.yml 
b/playbooks/include/proxies-fedora-web.yml

index 526ba27..7532950 100644
--- a/playbooks/include/proxies-fedora-web.yml
+++ b/playbooks/include/proxies-fedora-web.yml
@@ -42,7 +42,6 @@
 website: arm.fedoraproject.org
   - role: fedora-web/iot
 website: iot.fedoraproject.org
-when: env == "staging"
   - role: fedora-web/registry
 website: registry.fedoraproject.org
   - role: fedora-web/ostree
diff --git a/playbooks/include/proxies-websites.yml 
b/playbooks/include/proxies-websites.yml

index df22e22..352fdde 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -226,7 +226,6 @@
 - iot.stg.fedoraproject.org
 sslonly: true
 cert_name: "{{wildcard_cert_name}}"
-when: env == "staging"

   - role: httpd/website
 site_name: budget.fedoraproject.org
diff --git a/roles/fedora-web/build/files/syncStatic.sh 
b/roles/fedora-web/build/files/syncStatic.sh

index 8c5d622..7a541a9 100644
--- a/roles/fedora-web/build/files/syncStatic.sh
+++ b/roles/fedora-web/build/files/syncStatic.sh
@@ -71,3 +71,4 @@ build fedoracommunity.org
 build fudcon.fedoraproject.org
 build start.fedoraproject.org
 build fedoraproject.org
+build iot.fedoraproject.org
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: [Freeze Break Request ] gnome-backups: remove cloud.gnome.org and also unset freeze flag

[Rick Elrod]

+1

-re

On 3/6/19 5:23 PM, ke...@scrye.com wrote:

From: Kevin Fenzi 

Per averi, cloud.gnome.org is to be removed.
This host has no impact on fedora releases and shouldn't freeze.

Signed-off-by: Kevin Fenzi 
---
  inventory/group_vars/gnome-backups   | 1 +
  roles/gnome_backups/files/backup.sh  | 1 -
  roles/gnome_backups/files/ssh_config | 2 +-
  roles/gnome_backups/tasks/main.yml   | 1 -
  4 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/inventory/group_vars/gnome-backups 
b/inventory/group_vars/gnome-backups
index 5c4a8b5..9e55342 100644
--- a/inventory/group_vars/gnome-backups
+++ b/inventory/group_vars/gnome-backups
@@ -1,3 +1,4 @@
+freezes: False
  csi_purpose: GNOME Infrastructure Backups facility
  csi_relationship: |
  Provides rdiff-backup based backups to all the GNOME Infrastructure
diff --git a/roles/gnome_backups/files/backup.sh 
b/roles/gnome_backups/files/backup.sh
index 348dce1..4b4c619 100644
--- a/roles/gnome_backups/files/backup.sh
+++ b/roles/gnome_backups/files/backup.sh
@@ -9,7 +9,6 @@ MACHINES='signal.gnome.org
webapps2.gnome.org
palette.gnome.org
webapps.gnome.org
-  cloud.gnome.org
bastion.gnome.org
spinner.gnome.org
master.gnome.org
diff --git a/roles/gnome_backups/files/ssh_config 
b/roles/gnome_backups/files/ssh_config
index 630a652..e6f8ecb 100644
--- a/roles/gnome_backups/files/ssh_config
+++ b/roles/gnome_backups/files/ssh_config
@@ -1,4 +1,4 @@
-Host puppetmaster01.gnome.org cloud.gnome.org webapps3.gnome.org
+Host puppetmaster01.gnome.org webapps3.gnome.org
   User root
   IdentityFile /usr/local/etc/gnome_backup_id.rsa
   ProxyCommand ssh -W %h:%p bastion.gnome.org -F 
/usr/local/etc/gnome_ssh_config
diff --git a/roles/gnome_backups/tasks/main.yml 
b/roles/gnome_backups/tasks/main.yml
index 368ccdc..5de98fc 100644
--- a/roles/gnome_backups/tasks/main.yml
+++ b/roles/gnome_backups/tasks/main.yml
@@ -34,7 +34,6 @@
- webapps.gnome.org
- socket.gnome.org
- bugzilla.gnome.org
-  - cloud.gnome.org
- bastion.gnome.org
- spinner.gnome.org
- master.gnome.org


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: [Freeze Break Request ] batcave01: add sysadmin-gnome so they can login and commit to ansible if need be.

[Rick Elrod]

+1 here.

-re

On 3/6/19 5:07 PM, ke...@scrye.com wrote:

From: Kevin Fenzi 

Gnome folks have a gnome-backups01 vm that has a netapp volume for backups.
They manage it via our ansible repo and playbooks.

Signed-off-by: Kevin Fenzi 
---
  inventory/group_vars/batcave | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/inventory/group_vars/batcave b/inventory/group_vars/batcave
index c518391..13e8d21 100644
--- a/inventory/group_vars/batcave
+++ b/inventory/group_vars/batcave
@@ -8,7 +8,7 @@ tcp_ports: [ 80, 443, 8443, 8444 ]
  # Neeed for rsync from log01 for logs.
  custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j 
ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
  
-fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-cvs,sysadmin-main,sysadmin-web,sysadmin-noc,sysadmin-hosted,sysadmin-releng,sysadmin-qa,sysadmin-tools,sysadmin-cloud,sysadmin-bot,sysadmin-centos,sysadmin-koschei,sysadmin-datanommer,sysadmin-fedimg,fi-apprentice,sysadmin-regcfp,sysadmin-badges,sysadmin-mbs,sysadmin-veteran,sysadmin-coreos,sysadmin-upstreamfirst,sysadmin-releasemonitoring,sysadmin-fpdc,sysadmin-messaging,sysadmin-libravatar

+fas_client_groups: 
sysadmin-ask,sysadmin-atomic,sysadmin-cvs,sysadmin-main,sysadmin-web,sysadmin-noc,sysadmin-hosted,sysadmin-releng,sysadmin-qa,sysadmin-tools,sysadmin-cloud,sysadmin-bot,sysadmin-centos,sysadmin-koschei,sysadmin-datanommer,sysadmin-fedimg,fi-apprentice,sysadmin-regcfp,sysadmin-badges,sysadmin-mbs,sysadmin-veteran,sysadmin-coreos,sysadmin-upstreamfirst,sysadmin-releasemonitoring,sysadmin-fpdc,sysadmin-messaging,sysadmin-libravatar,sysadmin-gnome
  
  ansible_base: /srv/web/infra

  freezes: false


___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: Project Details

[Rick Elrod]

Similar to smooge, I'm on the ops side primarily, but I do bounce
around and try to be flexible when needed.

Notable things over the last few months:
- Lots of newcloud work with Kevin, Jim, and Patrick
- Maintained and deployed the websites -- at least enough to get them
updated -- for the last few releases.
- Lots of on-call (especially the last few weeks while people were travelling)
- Lots of proxy rebuilding (tag-teamed these with Kevin to get them
updated to a non-EOL Fedora)
- Got our S3/cloudfront mirror sync working (though it has some issues
and is WIP)
- Focused and presented on some ideas for retaining contributors and
making infrastructure onboarding more interactive and appealing to
people. WIP.
- Calling in drives/problems to vendors and working with dcops to get
them taken care of.
- Maintain our modernpaste pastebin (which I'll have more to say about
at the next infra meeting)
- Maintain the (external) da.gd URL shortener, which Fedora uses in a
fair number of places nowadays
- Package maintenance, though I've been trying to do less of this.

More recent one-off type things, to give an idea of my quotidian work:
- Fixed our robots.txt in staging to make the wiki not be crawlable
- While doing that, discovered that for "reasons" our prod robots.txt
had a lotus-organizer mimetype. Fixed.
- Our GeoDNS stopped working due to GeoIP format change. Wrote a
script to parse and process the new format, and made it a bit better
than the old setup by adding ipv6.

Upcoming-ish plans:
- Experiment and help with eventual migration to RHEL8 by looking at
RHEL8-beta in various places and seeing how much pain getting our
ansible setup to work on it will be.
- Work with smooge(?) on getting some proxies in AWS/EC2.
- Websites work for F30/F31 releases
- Getting more apps in OpenShift

Random/outside of Fedora:
- I have a deep passion for statically typed functional
programming/type theory, and most of my non-Fedora FOSS contributions
are in that space.
- Relatedly, I'm a volunteer on the haskell.org infrastructure team,
though less active nowadays.
- I've taken to playing with various backend networking protocols
(bgp/igp, ospf, etc.) to learn about them with some friends using gre
tunnels.
- I play a few instruments with varying degrees of success.
- I swing dance, DJ swing dances, and run sound systems for live-band
swing dances
- I'm finishing my undergraduate degree (CS/Math dual major,
Linguistics minor); should be graduating in May.
- I have a dog, she keeps me busy.

Rick

On Thu, Jan 31, 2019 at 9:46 AM Karsten Hopp  wrote:
>
> Wow, that's an impressive list !
>
> Mine is much shorter:
>
> - Pagure  (see above)
>
> - Fedora CI (gating)
>https://fedoraproject.org/wiki/CI
>
> - package maintenance, i.e. vim, libcap, ed,  Add tests and enable gating
> ___
> infrastructure mailing list -- infrastructure@lists.fedoraproject.org
> To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: [Freeze Break Request: ] Explicitly set Protocol 2 on sshd for pagure.

[Rick Elrod]

+1

On 10/20/18 3:09 PM, ke...@scrye.com wrote:
> From: Kevin Fenzi 
>
> This doesn't actually change anything for sshd (only proto 2 is default),
> However, rkhunter complains about it not setting that explicitly.
> So, this is just to get rkhunter to shut up about it.
>
> Signed-off-by: Kevin Fenzi 
> ---
>  roles/basessh/files/ssh/sshd_config.pagure | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/roles/basessh/files/ssh/sshd_config.pagure 
> b/roles/basessh/files/ssh/sshd_config.pagure
> index 8fca2d4..0425ccb 100644
> --- a/roles/basessh/files/ssh/sshd_config.pagure
> +++ b/roles/basessh/files/ssh/sshd_config.pagure
> @@ -20,7 +20,7 @@
>  #ListenAddress ::
>  
>  # The default requires explicit activation of protocol 1
> -#Protocol 2
> +Protocol 2
>  
>  # HostKey for protocol version 1
>  #HostKey /etc/ssh/ssh_host_key




signature.asc
Description: OpenPGP digital signature
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: [Freeze Break Request: ] Enable fpdc scopes in ipsilon. Ticket 7299.

[Rick Elrod]

+1
-re

On 10/16/18 12:50 PM, ke...@scrye.com wrote:
> From: Kevin Fenzi 
>
> This simply installs the ipsilon plugin for fpdc scopes and
> restarts it. If there's an issue we can easily remove it to
> roll back to where we were.
>
> +1s?
>
> Signed-off-by: Kevin Fenzi 
> ---
>  roles/ipsilon/tasks/main.yml | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml
> index 9bbccbf..ab2f0a7 100644
> --- a/roles/ipsilon/tasks/main.yml
> +++ b/roles/ipsilon/tasks/main.yml
> @@ -50,6 +50,7 @@
>- wiki
>- freshmaker
>- src
> +  - fpdc
>notify:
>- reload apache
>tags:




signature.asc
Description: OpenPGP digital signature
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: FBR: Switch Pagure over to aclchecker

[Rick Elrod]

+1

-re

On 10/11/2018 02:22 PM, Patrick マルタインアンドレアス Uiterwijk wrote:
> Hi,
>
> This is the next step of preparing pagure.io for repoSpanner: switch the 
> entry command to aclchecker, which is a small script that calls either 
> repoBridge for repos on repoSpanner (none at this moment) or gitolite for all 
> others.
> This adds some configuration for repobridge, but that won't be used yet.
> This can be reverted by switching the SSH config back to no longer calling 
> keyhelper.
>
> Patrick
>
>
> commit 6d313b60b05b022c1ae04dc81f9956cff33fb5b5 (HEAD -> master)
> Author: Patrick Uiterwijk 
> Date:   Thu Oct 11 20:19:11 2018 +0200
>
> Switch Pagure.io over to aclchecker
> 
> This will make it possible to migrate repositories to repoSpanner.
> 
> Signed-off-by: Patrick Uiterwijk 
>
> diff --git a/roles/pagure/frontend/templates/pagure.cfg 
> b/roles/pagure/frontend/templates/pagure.cfg
> index 4fddd17e7..54e28930b 100644
> --- a/roles/pagure/frontend/templates/pagure.cfg
> +++ b/roles/pagure/frontend/templates/pagure.cfg
> @@ -313,4 +313,21 @@ THEME = 'pagureio'
>  MIRROR_SSHKEYS_FOLDER='/srv/mirror/ssh'
>  
>  SSH_KEYS_USERNAME_EXPECT = "git"
> -SSH_KEYS_OPTIONS = 'command="/usr/share/gitolite3/gitolite-shell 
> %(username)s",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty'
> +SSH_KEYS_OPTIONS = 'restrict,command="/usr/libexec/pagure/aclchecker.py 
> %(username)s"'
> +
> +SSH_COMMAND_REPOSPANNER = ([
> +"/usr/libexec/repobridge",
> +"--extra", "username", "%(username)s",
> +"--extra", "repotype", "%(repotype)s",
> +"--extra", "project_name", "%(project_name)s",
> +"--extra", "project_user", "%(project_user)s",
> +"--extra", "project_namespace", "%(project_namespace)s",
> +"%(cmd)s",
> +"'pagure/%(repotype)s/%(reponame)s'",
> +], {"REPOBRIDGE_CONFIG": "/etc/repobridge/rpms.json"})
> +SSH_COMMAND_NON_REPOSPANNER = ([
> +"/usr/share/gitolite3/gitolite-shell",
> +"%(username)s",
> +"%(cmd)s",
> +"%(reponame)s",
> +], {})
> ___
> infrastructure mailing list -- infrastructure@lists.fedoraproject.org
> To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org




signature.asc
Description: OpenPGP digital signature
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: FBR: Disable OCSP on non-proxies

[Rick Elrod]

+1 here.

-re

On 09/25/2018 03:26 PM, Patrick マルタインアンドレアス Uiterwijk wrote:
> Can I get +1s for the following patch?
> Explanation as to why this specific patch is in the commit message.
>
>
>
> commit d2688610419973cd519ef8f8f581a03215aaf73c (HEAD -> master)
> Author: Patrick Uiterwijk 
> Date:   Tue Sep 25 21:25:00 2018 +0200
>
> Only do OCSP stapling on the proxies
> 
> The actual cache is only set in the proxy HTTP config.
> While we could set the cache path in the other servers' configs as well,
> that would be a significantly larger change.
> 
> Signed-off-by: Patrick Uiterwijk 
>
> diff --git a/roles/httpd/website/templates/website.conf 
> b/roles/httpd/website/templates/website.conf
> index 8ff23bbd0..afedf27eb 100644
> --- a/roles/httpd/website/templates/website.conf
> +++ b/roles/httpd/website/templates/website.conf
> @@ -57,7 +57,9 @@
>  {% endif %}
>  
>SSLEngine on
> -  SSLUseStapling on
> +  {% if ansible_hostname.startswith('proxy') %}
> +SSLUseStapling on
> +  {% endif %}
>  {% if certbot %}
>SSLCertificateFile /etc/pki/tls/certs/{{ site_name }}.cert
>SSLCertificateKeyFile /etc/pki/tls/private/{{ site_name }}.key
> ___
> infrastructure mailing list -- infrastructure@lists.fedoraproject.org
> To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org




signature.asc
Description: OpenPGP digital signature
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

Re: FBR: upgrading pagure to 5.0

[Rick Elrod]

I'm +0 leaning -1 on doing this on release day, simply because release
days are potentially hectic enough as-is. If the pagure upgrade flops,
then we have more to worry about at the same time, potentially pulling
people away from dealing with beta release stuff.

I'm not convinced waiting one day hurts us that much. Just my $0.02.

Rick

On 09/25/2018 02:11 AM, Pierre-Yves Chibon wrote:
> Good Morning Everyone,
>
> I just cut a new release of pagure: 5.0, the formal announce is pending
> polishing things with mailman so we can include in the announce the new 
> mailing
> lists to discuss/follow pagure.
>  
> Pending this, I'd like to request a Freeze Break Request for upgrading pagure 
> to
> 5.0.
> It's not critical for the release of the beta tomorrow, and it saves one day 
> (vs
> waiting for Wed) for the upgrade which considering some deadlines intern to 
> the
> infra team may be good.
>
> What do you think?
>
>
> Thanks,
> Pierre
>
>
> PS: Sorry for sending this a second time, the first email didn't reach the 
> list
> so let's see if the second one does.
>
>
> ___
> infrastructure mailing list -- infrastructure@lists.fedoraproject.org
> To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org




signature.asc
Description: OpenPGP digital signature
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org

pkgdb shutdown

[Rick Elrod]

Greetings all,

We had meant to turn off pkgdb *last* July (2017), but due to various
services
depending on it, we kept it running as read-only for the past year. I am
pleased
to announce we have finally shut down the service after replacing the
last known
in-use API endpoint (/api/collections/) with a static JSON file. If you
notice
anything else still trying to query pkgdb, please let us know on the
list or in
#fedora-admin.

Thank you,
Rick



signature.asc
Description: OpenPGP digital signature
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org/message/YPXTH3Z3FPSQJO6QDYH4CUXRUFO5LR3E/

Re: [PATCH] avoid \xZZ in mirrorlist urls

[Rick Elrod]

On May 13, 2010, at 12:05 AM, Matt Domsch wrote:
 
 OK, having spent a few more hours, I don't need the RewriteRule. Yea!
 
 I just need to convert to unicode, and leave it in unicode.  Malformed
 requests fail lookups as would be expected and return the you asked
 for an invalid repo or arch message.  Good requests return the
 mirrorlist.  All is swimmingly.
 
 
 commit 9251a20e8ff8239bae2c74e64ad20a4645423ae9
 Author: Matt Domsch matt_dom...@dell.com
 Date:   Wed May 12 22:59:46 2010 -0500
 
mirrorlist_client: leave query params as utf8
 
 diff --git a/mirrorlist-server/mirrorlist_client.wsgi
 b/mirrorlist-server/mirrorlist_client.wsgi
 index 3508f19..36077a1 100755
 --- a/mirrorlist-server/mirrorlist_client.wsgi
 +++ b/mirrorlist-server/mirrorlist_client.wsgi
 @@ -93,7 +93,7 @@ def request_setup(request):
 
 for k, v in d.iteritems():
 try:
 -d[k] = unicode(v, 'utf8', 'ignore').encode('utf8')
 +d[k] = unicode(v, 'utf8', 'replace')
 except:
 pass
 return d
 

+1
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure