Re: Freeze Break Request: update wildcard cert to new one
+1, lgtm assuming you grepped and found all of them (I did not check). -re On Thu, Feb 27, 2020 at 3:26 PM Stephen John Smoogen wrote: > > > This patch should make the changes to the appropriate files so that various > playbooks will use the newer certificate wildcard-2020 > > -- > Stephen J Smoogen. > > ___ > infrastructure mailing list -- infrastructure@lists.fedoraproject.org > To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: FBR: Add monitoring for website build fails
On Thu, Feb 27, 2020 at 4:31 AM Clement Verna wrote: > > > > On Thu, 27 Feb 2020 at 06:53, Rick Elrod wrote: >> >> I'd like to apply the following which does: >> - Adds a script I wrote for reading a timestamp from a file on disk >> and alerting if the timestamp within it is NOT within a particular >> delta to now. >> - Applies this to sundries01 and uses it to check >> /srv/websites/getfedora.org/build.timestamp.txt which now gets >> generated as part of the websites build. >> >> The purpose is because sometimes someone will commit something to the >> websites repo which breaks the build, but because of how we have >> things set up in openshift (cronjob), we don't get any kind of alert >> when that happens. > > > I think it would be better to find a way to monitor the cronjob in OpenShift > since that will be useful for other projects. > Did you investigate that idea ? > >> >> >> Right now this sets the delta to 3 hours. In theory it should be 1, >> but I figure let it try to build a few times before we start alerting. > > > +1 but I would prefer a way to have notification on a failed cronjob :-) I'd prefer that too (or probably in addition), but I don't know anything about how to set up that monitoring right now. It looks like there's an OpenShift API endpoint for monitoring crons: https://major.io/2019/11/18/monitoring-openshift-cron-jobs/ but we'd need to set up an API key for nagios checks to use somehow. Probably worth looking into, but for the time being I'd still like to apply this FBR, as we are going to have some Outreachy activity happening on websites soon and we need to know that the prod build isn't broken. -re > >> >> >> Rick >> >> >> commit 657d050f6d699bc43973d968cd93d12131fca7f2 >> Author: Rick Elrod >> Date: Thu Feb 27 05:29:24 2020 + >> >> nagios: Add script and check for checking that a timestamp within >> a file is within a delta of now, and then use this for alerting when >> websites stop building >> >> Signed-off-by: Rick Elrod >> >> diff --git a/roles/nagios_client/files/scripts/check_timestamp_from_file >> b/roles/nagios_client/files/scripts/check_timestamp_from_file >> new file mode 100644 >> index 000..9064337 >> --- /dev/null >> +++ b/roles/nagios_client/files/scripts/check_timestamp_from_file >> @@ -0,0 +1,43 @@ >> +#!/usr/bin/env python >> + >> +# Takes a path to a file and a delta. The file must simply contain an epoch >> +# timestamp. It can be an integer or a float, as can the delta. >> +# >> +# Alerts critical if (now - timestamp contained in file) > delta. >> +# >> +# Rick Elrod >> +# MIT >> + >> +import sys >> +import time >> + >> +if len(sys.argv) != 3: >> +print('UNKNOWN: Pass path to file and delta as parameters') >> +sys.exit(3) >> + >> +filename = sys.argv[1] >> +delta = float(sys.argv[2]) >> + >> +timestamp = None >> + >> +try: >> +with open(filename, 'r') as f: >> +timestamp = float(f.read().strip()) >> +except Exception as e: >> +print('UNKNOWN: Unable to open/read file path') >> +sys.exit(3) >> + >> +difference = round(time.time() - timestamp, 2) >> +if difference > delta: >> +print( >> +'CRITICAL: Timestamp in file (%.2f) exceeds delta (%.2f) by >> %.2f seconds' % ( >> +timestamp, >> +delta, >> +difference - delta)) >> +sys.exit(2) >> + >> +print('OK: Timestamp in file (%.2f) is within delta (%.2f) of now, by >> %.2f seconds' % ( >> +timestamp, >> +delta, >> +abs(difference - delta))) >> +sys.exit(0) >> diff --git a/roles/nagios_client/tasks/main.yml >> b/roles/nagios_client/tasks/main.yml >> index 2e5e0df..8e71a3b 100644 >> --- a/roles/nagios_client/tasks/main.yml >> +++ b/roles/nagios_client/tasks/main.yml >> @@ -47,6 +47,7 @@ >>- check_osbs_api.py >>- check_ipa_replication >>- check_redis_queue.sh >> + - check_timestamp_from_file >>when: not inventory_hostname.startswith('noc') >>tags: >>- nagios_client >> @@ -226,6 +227,16 @@ >>tags: >>- nagios_client >> >> +- name: install nrpe checks for sundries/websites >> + template: src={{ item }}.j2 dest=/etc/nrpe.d/{{ item }} owner=root >> group=root mode=0644 >> + with_items: >> + - check_websites_buildtime.cfg >> + when: inventory_hostname.startswith('sundries') >> + n
FBR: Add monitoring for website build fails
I'd like to apply the following which does: - Adds a script I wrote for reading a timestamp from a file on disk and alerting if the timestamp within it is NOT within a particular delta to now. - Applies this to sundries01 and uses it to check /srv/websites/getfedora.org/build.timestamp.txt which now gets generated as part of the websites build. The purpose is because sometimes someone will commit something to the websites repo which breaks the build, but because of how we have things set up in openshift (cronjob), we don't get any kind of alert when that happens. Right now this sets the delta to 3 hours. In theory it should be 1, but I figure let it try to build a few times before we start alerting. Rick commit 657d050f6d699bc43973d968cd93d12131fca7f2 Author: Rick Elrod Date: Thu Feb 27 05:29:24 2020 + nagios: Add script and check for checking that a timestamp within a file is within a delta of now, and then use this for alerting when websites stop building Signed-off-by: Rick Elrod diff --git a/roles/nagios_client/files/scripts/check_timestamp_from_file b/roles/nagios_client/files/scripts/check_timestamp_from_file new file mode 100644 index 000..9064337 --- /dev/null +++ b/roles/nagios_client/files/scripts/check_timestamp_from_file @@ -0,0 +1,43 @@ +#!/usr/bin/env python + +# Takes a path to a file and a delta. The file must simply contain an epoch +# timestamp. It can be an integer or a float, as can the delta. +# +# Alerts critical if (now - timestamp contained in file) > delta. +# +# Rick Elrod +# MIT + +import sys +import time + +if len(sys.argv) != 3: +print('UNKNOWN: Pass path to file and delta as parameters') +sys.exit(3) + +filename = sys.argv[1] +delta = float(sys.argv[2]) + +timestamp = None + +try: +with open(filename, 'r') as f: +timestamp = float(f.read().strip()) +except Exception as e: +print('UNKNOWN: Unable to open/read file path') +sys.exit(3) + +difference = round(time.time() - timestamp, 2) +if difference > delta: +print( +'CRITICAL: Timestamp in file (%.2f) exceeds delta (%.2f) by %.2f seconds' % ( +timestamp, +delta, +difference - delta)) +sys.exit(2) + +print('OK: Timestamp in file (%.2f) is within delta (%.2f) of now, by %.2f seconds' % ( +timestamp, +delta, +abs(difference - delta))) +sys.exit(0) diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml index 2e5e0df..8e71a3b 100644 --- a/roles/nagios_client/tasks/main.yml +++ b/roles/nagios_client/tasks/main.yml @@ -47,6 +47,7 @@ - check_osbs_api.py - check_ipa_replication - check_redis_queue.sh + - check_timestamp_from_file when: not inventory_hostname.startswith('noc') tags: - nagios_client @@ -226,6 +227,16 @@ tags: - nagios_client +- name: install nrpe checks for sundries/websites + template: src={{ item }}.j2 dest=/etc/nrpe.d/{{ item }} owner=root group=root mode=0644 + with_items: + - check_websites_buildtime.cfg + when: inventory_hostname.startswith('sundries') + notify: + - restart nrpe + tags: + - nagios_client + - name: install nrpe config for the RabbitMQ checks template: src: "rabbitmq_args.ini.j2" diff --git a/roles/nagios_client/templates/check_websites_buildtime.cfg.j2 b/roles/nagios_client/templates/check_websites_buildtime.cfg.j2 new file mode 100644 index 000..ff5639d --- /dev/null +++ b/roles/nagios_client/templates/check_websites_buildtime.cfg.j2 @@ -0,0 +1,2 @@ +# Alert if websites haven't been built in 3 hours +command[check_websites_buildtime]={{ libdir }}/nagios/plugins/check_timestamp_from_file /srv/websites/getfedora.org/build.timestamp.txt 10800 diff --git a/roles/nagios_server/templates/nagios/services/websites.cfg.j2 b/roles/nagios_server/templates/nagios/services/websites.cfg.j2 index 85e8f8e..c8958d7 100644 --- a/roles/nagios_server/templates/nagios/services/websites.cfg.j2 +++ b/roles/nagios_server/templates/nagios/services/websites.cfg.j2 @@ -316,4 +316,14 @@ define service { use ppc-secondarytemplate } +## Auxillary to websites but necessary to make them happen + +define service { + host_name sundries01.phx2.fedoraproject.org + service_description websites build happened recently + check_command check_by_nrpe!check_websites_buildtime + use websitetemplate +} + + {% endif %} ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: OpenShift-apps playbooks in the master.yml playbook
On 2019-11-18 06:59, Clement Verna wrote: > Hey all, > > I have just disabled the openshift-apps playbooks from running in the > master playbook run (see > https://infrastructure.fedoraproject.org/cgit/ansible.git/commit/master.yml?id=dccf42cd510703d6ddb5bb444aed7ce24ee1c334). I'm -1 on this. Production apps should make use of git branches and deploy from, say, a "production" branch. Then a deployment at any moment wouldn't unexpectedly break an app. Staging apps can do similar. Basically anything that isn't just being tested/experimented with (which should happen in communishift) can do similar. > > The reason behind is that the openshift-apps playbook are written to > trigger a new build and a new deployment of the application at each run, > this means that every time the master.yml playbook is run we build a > version of the application and deploy it. > Since a few of our applications are using source-to-image to build the > container directly from git it means that a master.yml run can deploy > new code into production without the maintainer of that application > being aware of it. > Again, these s2i images should pull from a distinguished branch, then this becomes a nonissue. -re > I wanted to raise awareness of this problem and ask the following > questions. > > Do we need to have the openshift-apps in the master.yml ? If yes how do > we prevent the run from deploying unwanted changes in production ? > > Thanks > Clément > > ___ > infrastructure mailing list -- infrastructure@lists.fedoraproject.org > To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org > pEpkey.asc Description: application/pgp-keys ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: [PATCH 2/2] bodhi-pungi: enable aarch64 and ppc64le for silverblue updates
+1 -re On 2019-10-24 15:51, Mohan Boddu wrote: +1 LGTM On Thu, Oct 24, 2019 at 3:36 PM Dusty Mabe wrote: --- roles/bodhi2/backend/templates/pungi.rpm.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/bodhi2/backend/templates/pungi.rpm.conf.j2 b/roles/bodhi2/backend/templates/pungi.rpm.conf.j2 index 28b524a10..640ddf058 100644 --- a/roles/bodhi2/backend/templates/pungi.rpm.conf.j2 +++ b/roles/bodhi2/backend/templates/pungi.rpm.conf.j2 @@ -193,8 +193,8 @@ ostree = { "ostree_ref": "fedora/[[ release.version_int ]]/${basearch}/testing/silverblue", [% endif %] "tag_ref": False, -"arches": ["x86_64"], -"failable": ["x86_64"] +"arches": ["x86_64", "ppc64le", "aarch64" ], +"failable": ["x86_64", "ppc64le", "aarch64" ] }, ] } -- 2.20.1 ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: [PATCH 1/2] bodhi-pungi: F32 will be the next "branched"
+1 for the same reason. -re On 2019-10-24 16:23, Mohan Boddu wrote: Since rawhide is not uses pungi, I think we are okay with this change. +1 LGTM On Thu, Oct 24, 2019 at 4:13 PM Mohan Boddu wrote: No, with rawhide gating we are using bodhi to push rawhide builds as updates, I think it might call it and cause some issues. On Thu, Oct 24, 2019 at 4:05 PM Dusty Mabe wrote: On 10/24/19 4:02 PM, Mohan Boddu wrote: Just wondering, doesn't it affect rawhide composes, since rawhide is still 32? IIUC the first time this will take any effect is when we start calling bodhi with '32' as the number (i.e. after we have branched and rawhide is now 33). Dusty ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: [PATCH] new-updates-sync: sync multiarch silverblue ostree content
+1 after the syntax fix I mentioned inline. -re On 2019-10-24 15:56, Dusty Mabe wrote: --- roles/bodhi2/backend/files/new-updates-sync | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/roles/bodhi2/backend/files/new-updates-sync b/roles/bodhi2/backend/files/new-updates-sync index d08c89301..9ad7628b8 100755 --- a/roles/bodhi2/backend/files/new-updates-sync +++ b/roles/bodhi2/backend/files/new-updates-sync @@ -25,8 +25,9 @@ RELEASES = {'f31': {'topic': 'fedora', 'modules': ['fedora', 'fedora-secondary'], 'repos': {'updates': { 'from': 'f31-updates', -'ostrees': [{'ref': 'fedora/31/x86_64/updates/silverblue', - 'dest': OSTREEDEST}], +'ostrees': [{'ref': 'fedora/31/%(arch)s/updates/silverblue', + 'dest': OSTREEDEST, + 'arches': ['x86_64', 'ppc64le', 'aarch64']}, I think this is missing another ] at the end before the comma (to match with the [ after 'ostrees': 'to': [{'arches': ['x86_64', 'armhfp', 'aarch64', 'source'], 'dest': os.path.join(FEDORADEST, '31', 'Everything')}, {'arches': ['ppc64le', 's390x'], @@ -34,8 +35,9 @@ RELEASES = {'f31': {'topic': 'fedora', ]}, 'updates-testing': { 'from': 'f31-updates-testing', -'ostrees': [{'ref': 'fedora/31/x86_64/testing/silverblue', - 'dest': OSTREEDEST}], +'ostrees': [{'ref': 'fedora/31/%(arch)s/testing/silverblue', + 'dest': OSTREEDEST, + 'arches': ['x86_64', 'ppc64le', 'aarch64']}, Same here. 'to': [{'arches': ['x86_64', 'aarch64', 'armhfp', 'source'], 'dest': os.path.join(FEDORADEST, 'testing', '31', 'Everything')}, {'arches': ['ppc64le', 's390x'], ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: Big Freeze Break Request: replicate db-koji01
+1 on #1 -re On 2019-10-22 16:56, Stephen John Smoogen wrote: On Tue, 22 Oct 2019 at 16:55, Mohan Boddu wrote: On Mon, Oct 21, 2019 at 2:48 PM Kevin Fenzi wrote: So, I got db-koji02 all setup and doing streaming replication from db-koji01. It has no trouble keeping up. The bad news is, it doesn't solve the backup problem. * If I just do a backup on db-koji02 and don't have hot_standby_feedback on, the backup fails because the primary (01) vacuums or otherwise drops rows that the backup is trying to read. * If I do a backup on db-koji02 with hot_standby_feedback enabled, the backup fails due to a 30 second timeout in streaming delay. ie, 02: "hey, I am backing up these rows, keep them for me until I'm done" 01: "sure, no problem" 02: ...backs up... 30 seconds pass, still backing up... 02: woah, I am 30s behind in replication now due to this lock. Longer term the problem is really going to need to be solved in koji. There's 2 tables that are gigantic: buildroot_listing (203GB) and tasks (93GB). Those tables need to have lots of things inserting into them, so backing them up will always slow things down. Hopefully they can use partitioning or something and fix this upstream. Possible solutions until they do: 1. I can try and increase max_standby_streaming_delay from 30s to say 90s. This might allow it enough time to copy things with all the locks. +1 2. We could try breaking the replication, doing the backup on 02 and reconnecting it. This may be difficult to automate and I worry that it might not be consistent if we just disconnect. 3. We could just say that having a hot spare is ok for now and kick the can down the road and not worry about backups. Personally, I am willing to try 1 (will need more +1's for freeze break), I don't really like 2 and 3 seems a bit scary, but I guess it could be ok until after freeze. Thoughts? I prefer #1 compared to #2 and #3. I think for the next week while Kevin is on vacation.. #1 is what we should go with. ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: Big Freeze Break Request: replicate db-koji01
I'm +1 to this, I don't think we should be going without db backups especially at this point in the cycle. Happy to help with some of it as well. Rick On 2019-10-16 18:35, Kevin Fenzi wrote: Greetings folks. As you may know, currently database backups on db-koji01 are causing very heavy load, disrupting our users builds ( https://pagure.io/fedora-infrastructure/issue/8292 ) so, they are currently disabled. However, not having current backups is not a good thing, IMHO. So, I am considering the idea of adding a db-koji02 vm (also rhel7 using the same postgres version that db-koji01 is) and enabling streaming replication from db-koji01 -> db-koji02 and then once thats working, run the database backups on db-koji02. It turns out this doesn't require that many changes on db-koji01: * adding a replication user * Setting 3 new lines of postgresql config and restarting: wal_level = 'hot_standby' max_wal_senders = 10 wal_keep_segments = 100 (May need to adjust senders and keep segments) All the other changes are on db-koji02: * create/setup the vm * run pg_basebackup to pull all the current data from 01 * setup postgresql.conf and recovery.conf files * start server and confirm it keeps up with 01 * run pg_dump and confirm it keeps up with 01 This is, of course a really big change in a freeze to a criticial service, so I'd like to get thoughts from others about it. Should we wait until after freeze and do without backups until then (note, that we have never had to restore this db from backups in the past, although we have dumped/restored it to move to newer postgres versions)? Is there something else we can do thats easier to mitigate the issues right now? Thoughts? ideas? Rotten fruit? kevin ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: Freeze break request: add registry-no-cdn version3
And the next issue was indeed found. Thanks to otaylor for pointing out my logic fail, and apologies to nirik for breaking his already correct logic. -1 on this version because I am dumb. -re On 2019-10-15 14:56, ke...@scrye.com wrote: Cast aside all other versions! This is it! (until the next issue is found) ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: [PATCH] proxies: add registry-no-cdn in a better/simplier way
+1 to this version of it, with the removal of the /'s in the regex which I think Apache would take literally. If we want to be pedantic, then escape the .'s in the regex with a \, but in this case it doesn't matter much. -re On 2019-10-15 14:19, ke...@scrye.com wrote: From: Kevin Fenzi This version is just two lines. Adding a host alias to registry so it uses the same vhost there, and then checking for the hostname in the rewrite. Signed-off-by: Kevin Fenzi --- playbooks/include/proxies-websites.yml | 2 +- .../httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index 8dd1740..c87677f 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -666,7 +666,7 @@ - role: httpd/website site_name: registry.fedoraproject.org -server_aliases: [registry.stg.fedoraproject.org] +server_aliases: [registry.stg.fedoraproject.org registry-no-cdn.fedoraproject.org] sslonly: true cert_name: "{{wildcard_cert_name}}" diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf index 8a97f39..9bc9eba 100644 --- a/roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf +++ b/roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf @@ -6,6 +6,7 @@ ProxyPreserveHost On {% if env == "production" %} RewriteCond %{HTTP:VIA} !cdn77 +RewriteCond %{SERVER_NAME} !/^registry-no-cdn.fedoraproject.org$/ RewriteCond %{REQUEST_METHOD} !^(PATCH|POST|PUT|DELETE|HEAD)$ RewriteRule ^/v2/(.*)/blobs/([a-zA-Z0-9:]*) https://cdn.registry.fedoraproject.org/v2/$1/blobs/$2 [R] {% endif %} ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: Freeze Break Request: update openssl on proxy servers
+1 here -re On 9/17/19 1:46 PM, Kevin Fenzi wrote: Greetings. I'd like to apply: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d51641f152 to our proxy servers and restart httpd on them. This is to fix: https://pagure.io/fedora-infrastructure/issue/8173 https://bugzilla.redhat.com/show_bug.cgi?id=1737471 (basically newer podman (in f31+) cannot pull images from our registry due to a openssl bug. Id like to get this out today since beta went out today and people are going to start trying to use it. If I don't get enough +1's I'll just apply it tomorrow after freeze. kevin ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: Freeze Break Request: Fix typo in bodhi status variable
+1 -re On 9/9/19 2:34 PM, Kevin Fenzi wrote: Greetings. We have a variable in: vars/all/FedoraBranchedBodhi.yaml thats used in our bodhi config to set the proper policies. The template uses 'predeta' and 'postbeta'... but the variable was updated to 'preBeta', which isn't going to work. I'd like to apply the following and run the bodhi backend playbook: diff --git a/vars/all/FedoraBranchedBodhi.yaml b/vars/all/FedoraBranchedBodhi.yaml index 91f82f2..f0cca9a 100644 --- a/vars/all/FedoraBranchedBodhi.yaml +++ b/vars/all/FedoraBranchedBodhi.yaml @@ -1,2 +1,2 @@ -#options are: preBeta, postBeta, current -FedoraBranchedBodhi: preBeta +#options are: prebeta, postbeta, current +FedoraBranchedBodhi: prebeta kevin ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: Freeze break request: update registry.redhat.io ip
+1 -re On 9/9/19 2:06 PM, Kevin Fenzi wrote: diff --git a/roles/hosts/files/os-hosts b/roles/hosts/files/os-hosts index e9dc0a2..3c283e3 100644 --- a/roles/hosts/files/os-hosts +++ b/roles/hosts/files/os-hosts @@ -1,4 +1,4 @@ 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 104.112.85.238 registry.access.redhat.com -104.69.74.100 registry.redhat.io +184.86.192.77 registry.redhat.io This should fix https://pagure.io/fedora-infrastructure/issue/8180 +1s? kevin ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: [PATCH] ipsilon: add aws-copr group to ipsilon for aws access.
+1 -re On 9/3/19 7:59 PM, Kevin Fenzi wrote: Signed-off-by: Kevin Fenzi --- roles/ipsilon/files/infofas.py | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/ipsilon/files/infofas.py b/roles/ipsilon/files/infofas.py index 2b59000..5454edf 100644 --- a/roles/ipsilon/files/infofas.py +++ b/roles/ipsilon/files/infofas.py @@ -49,6 +49,7 @@ aws_groups = { 'aws-cloud-poc': 'arn:aws:iam::125523088429:role/aws-cloud-poc', 'aws-infra': 'arn:aws:iam::125523088429:role/aws-infra', 'aws-docs': 'arn:aws:iam::125523088429:role/aws-docs', +'aws-copr': 'arn:aws:iam::125523088429:role/aws-copr', } ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: FBR: Sunset infinote
+1 thanks for working on this. -re On 9/3/19 3:10 PM, Clement Verna wrote: Hi all, The attached patch remove infinote from ansible. I would like to apply this then delete the virtual host and finally the run the nagios playbook so that we don't monitor this service anymore. Content was backed up here --> https://infrastructure.fedoraproject.org/infra/retired/infinote.fedoraproject.org/infinote/. Once all done, I ll communicate that the service was retired on the different lists the sunset was advertised. +1s ? Thanks ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: [PATCH] robosignatory: add f31/f32 infra tags and f31-gnome side tag to be signed.
+1 here. -re On 9/3/19 1:30 PM, Kevin Fenzi wrote: Signed-off-by: Kevin Fenzi --- roles/robosignatory/files/robosignatory.production.py | 18 ++ 1 file changed, 18 insertions(+) diff --git a/roles/robosignatory/files/robosignatory.production.py b/roles/robosignatory/files/robosignatory.production.py index 2d7013b..e2cbc3d 100644 --- a/roles/robosignatory/files/robosignatory.production.py +++ b/roles/robosignatory/files/robosignatory.production.py @@ -50,6 +50,12 @@ config = { "keyid": "3c3359c4" }, { +"from": "f31-gnome", +"to": "f31-gnome", +"key": "fedora-31", +"keyid": "3c3359c4" +}, +{ "from": "f31-python", "to": "f31-python", "key": "fedora-31", @@ -98,6 +104,18 @@ config = { "key": "fedora-infra", "keyid": "47dd8ef9" }, +{ +"from": "f31-infra-candidate", +"to": "f31-infra-stg", +"key": "fedora-infra", +"keyid": "47dd8ef9" +}, +{ +"from": "f32-infra-candidate", +"to": "f32-infra-stg", +"key": "fedora-infra", +"keyid": "47dd8ef9" +}, # Gated coreos-pool tag { ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: Freeze break request: h2 testing on rawhide
On 8/30/19 12:21 PM, Kevin Fenzi wrote: Can I get some +1s for this plan? +1, easy to back out if it breaks. Rick ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: [[FBR] Freeze Break Request: ] dns: Actually drop the limit on the group we defined in the last commit.
+1 here too. On 4/30/19 4:41 PM, ke...@scrye.com wrote: From: Kevin Fenzi Signed-off-by: Kevin Fenzi --- roles/dns/files/named.conf | 4 1 file changed, 4 insertions(+) diff --git a/roles/dns/files/named.conf b/roles/dns/files/named.conf index c13d65e..e210088 100644 --- a/roles/dns/files/named.conf +++ b/roles/dns/files/named.conf @@ -574,6 +574,10 @@ view "RDU2" { view "NA" { match-clients { US; CA; MX; }; recursion no; +// no rate-limit on internal requests +rate-limit { + exempt-clients { ns_redhat; }; +}; zone "fedoraproject.org" { type master; file "/var/named/master/built/NA/fedoraproject.org.signed"; ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: [[FBR] Freeze Break Request: ] dns: add 2 rh nameservers that make a lot of legit queries against our dns.
+1 -re On 4/30/19 4:36 PM, ke...@scrye.com wrote: From: Kevin Fenzi Signed-off-by: Kevin Fenzi --- roles/dns/files/named.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/dns/files/named.conf b/roles/dns/files/named.conf index df539bf..c13d65e 100644 --- a/roles/dns/files/named.conf +++ b/roles/dns/files/named.conf @@ -20,7 +20,7 @@ acl "everyone-v4" { 0.0.0.0/0; }; acl "everyone-v6" { ::0/0; }; acl "everyone" { 0.0.0.0/0; ::0/0; }; // -acl "ns_redhat" { 66.187.233.210; 209.132.183.2; 66.187.229.10; }; +acl "ns_redhat" { 66.187.233.210; 209.132.183.22; 209.132.183.30; 209.132.183.2; 66.187.229.10; }; // acl "phx2net" { 10.4.124.128/25; 10.5.78.0/24; 10.5.79.0/24; 10.5.125.0/24; 10.5.126.0/24; 10.5.127.0/24; 10.5.128.0/24; 10.5.129.0/24; 10.5.130.0/24; 10.16.0.0/24; }; acl "rdu2net" { 172.31.1.0/24; 172.31.2.0/24; }; ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: Heads-up: Deleting fas3_server role from ansible
+1, I think you can also delete inventory/host_vars/fas3* and related playbooks. -re On 4/19/19 10:13 AM, Clement Verna wrote: Hi all, I ll be deleting the fas3_server role from our ansible repository since it is currently not used and we are moving away from FAS. See the file diff below. Please let me know, if for any reason we should keep this role. Thanks Clément --- roles/fas3_server/files/accounts.conf | 31 roles/fas3_server/files/copr.repo | 8 - roles/fas3_server/tasks/main.yml | 55 -- roles/fas3_server/templates/production.ini | 198 - 4 files changed, 292 deletions(-) delete mode 100644 roles/fas3_server/files/accounts.conf delete mode 100644 roles/fas3_server/files/copr.repo delete mode 100644 roles/fas3_server/tasks/main.yml delete mode 100644 roles/fas3_server/templates/production.ini ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: Heads-up: Deleting graphite role from ansible
+1, this was an experiment I led. Grafana/graphite is pretty and I'd love to have pretty dashboards to get various views into our infrastructure, but I never got around to setting it up beyond just dumping our collectd stats into it. It's something I'd like to perhaps revisit down the road some day, but it isn't likely to be any time soon. +1 to delete it. -re On 4/19/19 10:17 AM, Clement Verna wrote: Hi all, I ll be deleting the graphite role from our ansible repository since it is currently not used. See the file diff below. Please let me know, if for any reason we should keep this role. Thanks Clément --- .../fedmsg2statsd/files/cabal-install.repo| 7 - .../fedmsg2statsd/files/fedmsg2statsd.service | 15 -- .../graphite/fedmsg2statsd/handlers/main.yml | 3 - roles/graphite/fedmsg2statsd/tasks/main.yml | 57 - roles/graphite/grafana/files/grafana.repo | 9 - roles/graphite/grafana/files/grafana.service | 23 -- roles/graphite/grafana/handlers/main.yml | 3 - roles/graphite/grafana/tasks/main.yml | 54 - roles/graphite/grafana/templates/grafana.conf | 28 --- roles/graphite/graphite/tasks/main.yml| 48 .../graphite/templates/graphite-web.conf | 45 .../graphite/templates/local_settings.py | 212 -- roles/graphite/statsd/tasks/main.yml | 14 -- 13 files changed, 518 deletions(-) delete mode 100644 roles/graphite/fedmsg2statsd/files/cabal-install.repo delete mode 100644 roles/graphite/fedmsg2statsd/files/fedmsg2statsd.service delete mode 100644 roles/graphite/fedmsg2statsd/handlers/main.yml delete mode 100644 roles/graphite/fedmsg2statsd/tasks/main.yml delete mode 100644 roles/graphite/grafana/files/grafana.repo delete mode 100644 roles/graphite/grafana/files/grafana.service delete mode 100644 roles/graphite/grafana/handlers/main.yml delete mode 100644 roles/graphite/grafana/tasks/main.yml delete mode 100644 roles/graphite/grafana/templates/grafana.conf delete mode 100644 roles/graphite/graphite/tasks/main.yml delete mode 100644 roles/graphite/graphite/templates/graphite-web.conf delete mode 100644 roles/graphite/graphite/templates/local_settings.py delete mode 100644 roles/graphite/statsd/tasks/main.yml ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: FBR: Push a fix to clean_amis.py in fedimg box
+1 -re On 3/27/19 5:57 AM, Sayan Chowdhury wrote: I need to push a fix to run the clean_amis script. The diff is as follows: diff --git a/roles/fedimg/files/clean-amis.py b/roles/fedimg/files/clean-amis.py index d0a491824..8e8cfff91 100644 --- a/roles/fedimg/files/clean-amis.py +++ b/roles/fedimg/files/clean-amis.py @@ -116,7 +116,7 @@ def get_page(page, delta, topic, start=None, end=None): return resp.json() -def _get_two_week_atomic_released_compose_id(delta, start=None, end=None): +def _get_two_week_released_atomic_compose_id(delta, start=None, end=None): """ Returns the release compose ids for last n days """ topic = "org.fedoraproject.prod.releng.atomic.twoweek.complete" @@ -136,7 +136,7 @@ def _get_two_week_atomic_released_compose_id(delta, start=None, end=None): for msg in messages: # This is to support the older-format fedmsg messages if "atomic_raw" in msg: -released_atomic_compose_ids.append(["atomic_raw"]["compose_id"]) +released_atomic_compose_ids.append(msg["atomic_raw"]["compose_id"]) # We are just trying here multiple archs to get the compose id elif "aarch64" in msg: released_atomic_compose_ids.append( @@ -186,7 +186,7 @@ def _get_nightly_amis_nd(delta, start=None, end=None): # Sometimes the compose label is None # and they can be blindly put in for deletion -if compose_label is None: +if not compose_label: amis.append((compose_id, ami_id, region)) if compose_id in released_atomic_compose_ids: @@ -209,7 +209,7 @@ def _get_nightly_amis_nd(delta, start=None, end=None): def delete_amis_nd(deletetimestamp, dry_run=False): """ Delete the give list of nightly AMIs -:args deletetimestamp: the timestamp for the delete +:args deletetimestamp: the timestamp for the delete :args dry_run: dry run the flow """ log.info("Deleting AMIs") The PR to this diff is merged into releng repo[1]. +1s [1] https://pagure.io/releng/pull-request/8193#request_diff ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: Freeze Break Request: reinstall buildvm-ppc64le-01/02 to power9 hw
+1 with saving the old ones off (and probably keeping them around until after freeze so we can revert if we notice something wrong but not right away). -re On 3/26/19 4:43 PM, Kevin Fenzi wrote: I'd like to reinstall buildvm-ppc64le-01 and 02 on power9 hardware. This should allow us to stop the crazy things we have had to do on the current ones (running on power8) which includes: * downgrading qemu * downgrading libfdt * downgrading the kernel and booting it and removing all other kernels * disabling security updates because we don't want to mess up the above. It should take only a few minutes and I will save the old vm's so we can back out to them if we have to. (Although I need to re-downgrade qemu on them because it was upgraded the other day when I upgraded libseccomp). kevin ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: [FBR ] update-fullfiletimelist: make new-updates-sync use the fedora-secondary lock file
+1 -re On 3/19/19 6:48 PM, ke...@scrye.com wrote: From: Kevin Fenzi Currently update-fullfiletimelist is called from 4 machines: * rawhide-composer: after rawhide compose * branched-composer: after branched compose * secondary01: in a cron every hour updating only /pub/alt as it can change anytime. * bodhi-backend01: after ever updates sync that has content synced We need bodhi-backend01 to use the same lock as rawhide/branched composers since they update the same modules and we don't want them to step on each other. Signed-off-by: Kevin Fenzi --- roles/bodhi2/backend/files/new-updates-sync | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/bodhi2/backend/files/new-updates-sync b/roles/bodhi2/backend/files/new-updates-sync index 0fa893b..7d6e456 100755 --- a/roles/bodhi2/backend/files/new-updates-sync +++ b/roles/bodhi2/backend/files/new-updates-sync @@ -234,7 +234,7 @@ def update_fullfilelist(modules): logger.info('No filelists to update') return cmd = ['/usr/local/bin/update-fullfiletimelist', '-l', - '/tmp/update-fullfiletimelist.lock', '-t', '/pub'] + '/pub/fedora-secondary/update-fullfiletimelist.lock', '-t', '/pub'] cmd.extend(modules) run_command(cmd) ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: FBR for Alessandro Lorenzi for nagios certgetter change.
+1 but note that this will need to be added to tasks/main.yml too so it gets copied over. -re On 3/20/19 7:56 AM, Stephen John Smoogen wrote: I have reviewed this and will sponsor it. -- Forwarded message - From: Alessandro Lorenzi Date: Sat, 16 Mar 2019 at 17:24 Subject: [fedora-infrastructure] Issue #7635: Add monitoring for httpd on certgetter To: neron added a new comment to an issue you are following: `` Hi, first patch in fedora-infrastructure! ``` From 191cd95874e5f2f0141032cc211f2b405255df6d Mon Sep 17 00:00:00 2001 From: Alessandro Lorenzi Date: Sat, 16 Mar 2019 22:10:12 +0100 Subject: [PATCH] Monitoring: add service certgetter http Refs: #7635 --- roles/nagios_server/files/nagios/services/certgetter.cfg | 6 ++ 1 file changed, 6 insertions(+) create mode 100644 roles/nagios_server/files/nagios/services/certgetter.cfg diff --git a/roles/nagios_server/files/nagios/services/certgetter.cfg b/roles/nagios_server/files/nagios/services/certgetter.cfg new file mode 100644 index 0..2b143ed23 --- /dev/null +++ b/roles/nagios_server/files/nagios/services/certgetter.cfg @@ -0,0 +1,6 @@ +define service { + host_name certgetter01.phx2.fedoraproject.org + service_description certgetter-http + check_command check_http!certgetter01.phx2.fedoraproject.org + use defaulttemplate +} -- 2.17.1 ``` `` To reply, visit the link below or just reply to this email https://pagure.io/fedora-infrastructure/issue/7635 ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: FBR: Add nfs-server/remove ipv6-test
+1 -re On 3/20/19 10:02 AM, Stephen John Smoogen wrote: This will bring 45drives box ready for testing and will remove ipv6-test from ansible. I will need to run the noc.yml after this to remove ipv6-test from nagios. ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: "FBR: To update python3-productmd on compose-x86-01.phx2.fp.o"
+1 -re On 3/20/19 8:15 AM, Mohan Boddu wrote: The recent RC compose failed due to: ValueError: Image: Field 'type' has invalid value: vmdk Support for vmdk was added in python3-productmd-1.21-1.fc29 version. Once updated, this issue should be fixed. Thanks. ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: Request for comments: mediawiki-FedoraBadges direct db query
On 3/20/19 9:48 AM, Stephen John Smoogen wrote: On Wed, 20 Mar 2019 at 09:43, Pierre-Yves Chibon wrote: Sounds fine to me :) As a ticket been opened upstream so it's not lost that this API needs optimization? To this particular one, no. I went and looked at the open issues and saw several 'tahrir is slow' so figured it might be caught up already in those. Yeah, exactly this. I think the problems aren't specific to this particular endpoint. We've known (or at least I've known) about the slowness on this endpoint since the start of Tahrir's development, but I think it affects some other endpoints as well (as suggested by the tickets smooge referred to). I tried for a while to track it down a few years ago, but never did. R. ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: Request for comments: mediawiki-FedoraBadges direct db query
On 3/20/19 9:42 AM, Clement Verna wrote: On Wed, 20 Mar 2019 at 14:27, Rick Elrod wrote: Hi all, Tahrir is slow, and the endpoint that mediawiki-FedoraBadges uses to get its badge count and badge assertion data from takes about 35 seconds per request. Do we have an idea what makes Tahrir so slow ? Way back when Tahrir was more actively developed, I tried to look into this some. From what I remember, it's just generating super inefficient queries, and lots of them. I recall the ORM it was using loves to generate queries that exhibit the N+1 query problem. When the N queries are inefficient ones (that might also generate more queries each), the result is slowness. But that might have changed, and I haven't touched the Tahrir codebase in years. As smooge said, there are a number of Tahrir-upstream bugs that mention it being slow all around, so I don't think this is specific to the endpoint I'm using. I think this is just where we end up seeing it fairly often because of wiki userpages. Rick ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Request for comments: mediawiki-FedoraBadges direct db query
Hi all, Tahrir is slow, and the endpoint that mediawiki-FedoraBadges uses to get its badge count and badge assertion data from takes about 35 seconds per request. As a result, if a user enables both badge count and badge images on a user page, the two requests combined take well over a minute. This results in mediawiki often bombing the request and rendering an ugly error in place of badges. We get tickets/support requests on this occasionally as well: - https://pagure.io/fedora-infrastructure/issue/7650 Some quick testing shows that the queries I care about for the mediawiki-FedoraBadges plugin take about 70ms to run (in prod). Incurring a 35 second penalty for that seems *crazy* to me. As an alternative, I'd like to propose making a tahrir-readonly user, and modifying the mediawiki-FedoraBadges plugin to query the badges database directly. I played around and got it working in staging, the process was something like: - Create tahrir-readonly postgres user - Grant it readonly perms on the tahrir tables, and connect and usage perms. - Modify the mw plugin - Install php-pgsql on wiki01.stg so it can actually connect After that it seems to work fine. I triggered a cache purge of all wiki pages on stg as well (but on prod, I'd probably just let the cache naturally expire). Pages with badges load almost instantly now (granted the stg data is way less than prod, but still). I'm looking for comments because I don't know if there's anything security-wise I'm overlooking in doing this. At a quick glance, it seems fine -- the new pg user is readonly and very few people have access to LocalSettings.php where the connect info would be stored. But I might well be missing something and want to be safe. Thoughts? Rick ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
FBR: make iot.fp.o live
This has been in stg for a while, and I have been asked to make it live. This FBR is for permission to commit this and run the proxy playbook on all proxies. Rick commit fe044fc717517d01211e1995ff9778b7b7906fe4 Author: Rick Elrod Date: Tue Mar 19 16:59:54 2019 + [fedora-web/iot] make it live Signed-off-by: Rick Elrod diff --git a/playbooks/include/proxies-fedora-web.yml b/playbooks/include/proxies-fedora-web.yml index 526ba27..7532950 100644 --- a/playbooks/include/proxies-fedora-web.yml +++ b/playbooks/include/proxies-fedora-web.yml @@ -42,7 +42,6 @@ website: arm.fedoraproject.org - role: fedora-web/iot website: iot.fedoraproject.org -when: env == "staging" - role: fedora-web/registry website: registry.fedoraproject.org - role: fedora-web/ostree diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index df22e22..352fdde 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -226,7 +226,6 @@ - iot.stg.fedoraproject.org sslonly: true cert_name: "{{wildcard_cert_name}}" -when: env == "staging" - role: httpd/website site_name: budget.fedoraproject.org diff --git a/roles/fedora-web/build/files/syncStatic.sh b/roles/fedora-web/build/files/syncStatic.sh index 8c5d622..7a541a9 100644 --- a/roles/fedora-web/build/files/syncStatic.sh +++ b/roles/fedora-web/build/files/syncStatic.sh @@ -71,3 +71,4 @@ build fedoracommunity.org build fudcon.fedoraproject.org build start.fedoraproject.org build fedoraproject.org +build iot.fedoraproject.org ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: [Freeze Break Request ] gnome-backups: remove cloud.gnome.org and also unset freeze flag
+1 -re On 3/6/19 5:23 PM, ke...@scrye.com wrote: From: Kevin Fenzi Per averi, cloud.gnome.org is to be removed. This host has no impact on fedora releases and shouldn't freeze. Signed-off-by: Kevin Fenzi --- inventory/group_vars/gnome-backups | 1 + roles/gnome_backups/files/backup.sh | 1 - roles/gnome_backups/files/ssh_config | 2 +- roles/gnome_backups/tasks/main.yml | 1 - 4 files changed, 2 insertions(+), 3 deletions(-) diff --git a/inventory/group_vars/gnome-backups b/inventory/group_vars/gnome-backups index 5c4a8b5..9e55342 100644 --- a/inventory/group_vars/gnome-backups +++ b/inventory/group_vars/gnome-backups @@ -1,3 +1,4 @@ +freezes: False csi_purpose: GNOME Infrastructure Backups facility csi_relationship: | Provides rdiff-backup based backups to all the GNOME Infrastructure diff --git a/roles/gnome_backups/files/backup.sh b/roles/gnome_backups/files/backup.sh index 348dce1..4b4c619 100644 --- a/roles/gnome_backups/files/backup.sh +++ b/roles/gnome_backups/files/backup.sh @@ -9,7 +9,6 @@ MACHINES='signal.gnome.org webapps2.gnome.org palette.gnome.org webapps.gnome.org - cloud.gnome.org bastion.gnome.org spinner.gnome.org master.gnome.org diff --git a/roles/gnome_backups/files/ssh_config b/roles/gnome_backups/files/ssh_config index 630a652..e6f8ecb 100644 --- a/roles/gnome_backups/files/ssh_config +++ b/roles/gnome_backups/files/ssh_config @@ -1,4 +1,4 @@ -Host puppetmaster01.gnome.org cloud.gnome.org webapps3.gnome.org +Host puppetmaster01.gnome.org webapps3.gnome.org User root IdentityFile /usr/local/etc/gnome_backup_id.rsa ProxyCommand ssh -W %h:%p bastion.gnome.org -F /usr/local/etc/gnome_ssh_config diff --git a/roles/gnome_backups/tasks/main.yml b/roles/gnome_backups/tasks/main.yml index 368ccdc..5de98fc 100644 --- a/roles/gnome_backups/tasks/main.yml +++ b/roles/gnome_backups/tasks/main.yml @@ -34,7 +34,6 @@ - webapps.gnome.org - socket.gnome.org - bugzilla.gnome.org - - cloud.gnome.org - bastion.gnome.org - spinner.gnome.org - master.gnome.org ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: [Freeze Break Request ] batcave01: add sysadmin-gnome so they can login and commit to ansible if need be.
+1 here. -re On 3/6/19 5:07 PM, ke...@scrye.com wrote: From: Kevin Fenzi Gnome folks have a gnome-backups01 vm that has a netapp volume for backups. They manage it via our ansible repo and playbooks. Signed-off-by: Kevin Fenzi --- inventory/group_vars/batcave | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/group_vars/batcave b/inventory/group_vars/batcave index c518391..13e8d21 100644 --- a/inventory/group_vars/batcave +++ b/inventory/group_vars/batcave @@ -8,7 +8,7 @@ tcp_ports: [ 80, 443, 8443, 8444 ] # Neeed for rsync from log01 for logs. custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] -fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-cvs,sysadmin-main,sysadmin-web,sysadmin-noc,sysadmin-hosted,sysadmin-releng,sysadmin-qa,sysadmin-tools,sysadmin-cloud,sysadmin-bot,sysadmin-centos,sysadmin-koschei,sysadmin-datanommer,sysadmin-fedimg,fi-apprentice,sysadmin-regcfp,sysadmin-badges,sysadmin-mbs,sysadmin-veteran,sysadmin-coreos,sysadmin-upstreamfirst,sysadmin-releasemonitoring,sysadmin-fpdc,sysadmin-messaging,sysadmin-libravatar +fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-cvs,sysadmin-main,sysadmin-web,sysadmin-noc,sysadmin-hosted,sysadmin-releng,sysadmin-qa,sysadmin-tools,sysadmin-cloud,sysadmin-bot,sysadmin-centos,sysadmin-koschei,sysadmin-datanommer,sysadmin-fedimg,fi-apprentice,sysadmin-regcfp,sysadmin-badges,sysadmin-mbs,sysadmin-veteran,sysadmin-coreos,sysadmin-upstreamfirst,sysadmin-releasemonitoring,sysadmin-fpdc,sysadmin-messaging,sysadmin-libravatar,sysadmin-gnome ansible_base: /srv/web/infra freezes: false ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: Project Details
Similar to smooge, I'm on the ops side primarily, but I do bounce around and try to be flexible when needed. Notable things over the last few months: - Lots of newcloud work with Kevin, Jim, and Patrick - Maintained and deployed the websites -- at least enough to get them updated -- for the last few releases. - Lots of on-call (especially the last few weeks while people were travelling) - Lots of proxy rebuilding (tag-teamed these with Kevin to get them updated to a non-EOL Fedora) - Got our S3/cloudfront mirror sync working (though it has some issues and is WIP) - Focused and presented on some ideas for retaining contributors and making infrastructure onboarding more interactive and appealing to people. WIP. - Calling in drives/problems to vendors and working with dcops to get them taken care of. - Maintain our modernpaste pastebin (which I'll have more to say about at the next infra meeting) - Maintain the (external) da.gd URL shortener, which Fedora uses in a fair number of places nowadays - Package maintenance, though I've been trying to do less of this. More recent one-off type things, to give an idea of my quotidian work: - Fixed our robots.txt in staging to make the wiki not be crawlable - While doing that, discovered that for "reasons" our prod robots.txt had a lotus-organizer mimetype. Fixed. - Our GeoDNS stopped working due to GeoIP format change. Wrote a script to parse and process the new format, and made it a bit better than the old setup by adding ipv6. Upcoming-ish plans: - Experiment and help with eventual migration to RHEL8 by looking at RHEL8-beta in various places and seeing how much pain getting our ansible setup to work on it will be. - Work with smooge(?) on getting some proxies in AWS/EC2. - Websites work for F30/F31 releases - Getting more apps in OpenShift Random/outside of Fedora: - I have a deep passion for statically typed functional programming/type theory, and most of my non-Fedora FOSS contributions are in that space. - Relatedly, I'm a volunteer on the haskell.org infrastructure team, though less active nowadays. - I've taken to playing with various backend networking protocols (bgp/igp, ospf, etc.) to learn about them with some friends using gre tunnels. - I play a few instruments with varying degrees of success. - I swing dance, DJ swing dances, and run sound systems for live-band swing dances - I'm finishing my undergraduate degree (CS/Math dual major, Linguistics minor); should be graduating in May. - I have a dog, she keeps me busy. Rick On Thu, Jan 31, 2019 at 9:46 AM Karsten Hopp wrote: > > Wow, that's an impressive list ! > > Mine is much shorter: > > - Pagure (see above) > > - Fedora CI (gating) >https://fedoraproject.org/wiki/CI > > - package maintenance, i.e. vim, libcap, ed, Add tests and enable gating > ___ > infrastructure mailing list -- infrastructure@lists.fedoraproject.org > To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: [Freeze Break Request: ] Explicitly set Protocol 2 on sshd for pagure.
+1 On 10/20/18 3:09 PM, ke...@scrye.com wrote: > From: Kevin Fenzi > > This doesn't actually change anything for sshd (only proto 2 is default), > However, rkhunter complains about it not setting that explicitly. > So, this is just to get rkhunter to shut up about it. > > Signed-off-by: Kevin Fenzi > --- > roles/basessh/files/ssh/sshd_config.pagure | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/roles/basessh/files/ssh/sshd_config.pagure > b/roles/basessh/files/ssh/sshd_config.pagure > index 8fca2d4..0425ccb 100644 > --- a/roles/basessh/files/ssh/sshd_config.pagure > +++ b/roles/basessh/files/ssh/sshd_config.pagure > @@ -20,7 +20,7 @@ > #ListenAddress :: > > # The default requires explicit activation of protocol 1 > -#Protocol 2 > +Protocol 2 > > # HostKey for protocol version 1 > #HostKey /etc/ssh/ssh_host_key signature.asc Description: OpenPGP digital signature ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: [Freeze Break Request: ] Enable fpdc scopes in ipsilon. Ticket 7299.
+1 -re On 10/16/18 12:50 PM, ke...@scrye.com wrote: > From: Kevin Fenzi > > This simply installs the ipsilon plugin for fpdc scopes and > restarts it. If there's an issue we can easily remove it to > roll back to where we were. > > +1s? > > Signed-off-by: Kevin Fenzi > --- > roles/ipsilon/tasks/main.yml | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml > index 9bbccbf..ab2f0a7 100644 > --- a/roles/ipsilon/tasks/main.yml > +++ b/roles/ipsilon/tasks/main.yml > @@ -50,6 +50,7 @@ >- wiki >- freshmaker >- src > + - fpdc >notify: >- reload apache >tags: signature.asc Description: OpenPGP digital signature ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: FBR: Switch Pagure over to aclchecker
+1 -re On 10/11/2018 02:22 PM, Patrick マルタインアンドレアス Uiterwijk wrote: > Hi, > > This is the next step of preparing pagure.io for repoSpanner: switch the > entry command to aclchecker, which is a small script that calls either > repoBridge for repos on repoSpanner (none at this moment) or gitolite for all > others. > This adds some configuration for repobridge, but that won't be used yet. > This can be reverted by switching the SSH config back to no longer calling > keyhelper. > > Patrick > > > commit 6d313b60b05b022c1ae04dc81f9956cff33fb5b5 (HEAD -> master) > Author: Patrick Uiterwijk > Date: Thu Oct 11 20:19:11 2018 +0200 > > Switch Pagure.io over to aclchecker > > This will make it possible to migrate repositories to repoSpanner. > > Signed-off-by: Patrick Uiterwijk > > diff --git a/roles/pagure/frontend/templates/pagure.cfg > b/roles/pagure/frontend/templates/pagure.cfg > index 4fddd17e7..54e28930b 100644 > --- a/roles/pagure/frontend/templates/pagure.cfg > +++ b/roles/pagure/frontend/templates/pagure.cfg > @@ -313,4 +313,21 @@ THEME = 'pagureio' > MIRROR_SSHKEYS_FOLDER='/srv/mirror/ssh' > > SSH_KEYS_USERNAME_EXPECT = "git" > -SSH_KEYS_OPTIONS = 'command="/usr/share/gitolite3/gitolite-shell > %(username)s",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty' > +SSH_KEYS_OPTIONS = 'restrict,command="/usr/libexec/pagure/aclchecker.py > %(username)s"' > + > +SSH_COMMAND_REPOSPANNER = ([ > +"/usr/libexec/repobridge", > +"--extra", "username", "%(username)s", > +"--extra", "repotype", "%(repotype)s", > +"--extra", "project_name", "%(project_name)s", > +"--extra", "project_user", "%(project_user)s", > +"--extra", "project_namespace", "%(project_namespace)s", > +"%(cmd)s", > +"'pagure/%(repotype)s/%(reponame)s'", > +], {"REPOBRIDGE_CONFIG": "/etc/repobridge/rpms.json"}) > +SSH_COMMAND_NON_REPOSPANNER = ([ > +"/usr/share/gitolite3/gitolite-shell", > +"%(username)s", > +"%(cmd)s", > +"%(reponame)s", > +], {}) > ___ > infrastructure mailing list -- infrastructure@lists.fedoraproject.org > To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org signature.asc Description: OpenPGP digital signature ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: FBR: Disable OCSP on non-proxies
+1 here. -re On 09/25/2018 03:26 PM, Patrick マルタインアンドレアス Uiterwijk wrote: > Can I get +1s for the following patch? > Explanation as to why this specific patch is in the commit message. > > > > commit d2688610419973cd519ef8f8f581a03215aaf73c (HEAD -> master) > Author: Patrick Uiterwijk > Date: Tue Sep 25 21:25:00 2018 +0200 > > Only do OCSP stapling on the proxies > > The actual cache is only set in the proxy HTTP config. > While we could set the cache path in the other servers' configs as well, > that would be a significantly larger change. > > Signed-off-by: Patrick Uiterwijk > > diff --git a/roles/httpd/website/templates/website.conf > b/roles/httpd/website/templates/website.conf > index 8ff23bbd0..afedf27eb 100644 > --- a/roles/httpd/website/templates/website.conf > +++ b/roles/httpd/website/templates/website.conf > @@ -57,7 +57,9 @@ > {% endif %} > >SSLEngine on > - SSLUseStapling on > + {% if ansible_hostname.startswith('proxy') %} > +SSLUseStapling on > + {% endif %} > {% if certbot %} >SSLCertificateFile /etc/pki/tls/certs/{{ site_name }}.cert >SSLCertificateKeyFile /etc/pki/tls/private/{{ site_name }}.key > ___ > infrastructure mailing list -- infrastructure@lists.fedoraproject.org > To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org signature.asc Description: OpenPGP digital signature ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: FBR: upgrading pagure to 5.0
I'm +0 leaning -1 on doing this on release day, simply because release days are potentially hectic enough as-is. If the pagure upgrade flops, then we have more to worry about at the same time, potentially pulling people away from dealing with beta release stuff. I'm not convinced waiting one day hurts us that much. Just my $0.02. Rick On 09/25/2018 02:11 AM, Pierre-Yves Chibon wrote: > Good Morning Everyone, > > I just cut a new release of pagure: 5.0, the formal announce is pending > polishing things with mailman so we can include in the announce the new > mailing > lists to discuss/follow pagure. > > Pending this, I'd like to request a Freeze Break Request for upgrading pagure > to > 5.0. > It's not critical for the release of the beta tomorrow, and it saves one day > (vs > waiting for Wed) for the upgrade which considering some deadlines intern to > the > infra team may be good. > > What do you think? > > > Thanks, > Pierre > > > PS: Sorry for sending this a second time, the first email didn't reach the > list > so let's see if the second one does. > > > ___ > infrastructure mailing list -- infrastructure@lists.fedoraproject.org > To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org signature.asc Description: OpenPGP digital signature ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
pkgdb shutdown
Greetings all, We had meant to turn off pkgdb *last* July (2017), but due to various services depending on it, we kept it running as read-only for the past year. I am pleased to announce we have finally shut down the service after replacing the last known in-use API endpoint (/api/collections/) with a static JSON file. If you notice anything else still trying to query pkgdb, please let us know on the list or in #fedora-admin. Thank you, Rick signature.asc Description: OpenPGP digital signature ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org/message/YPXTH3Z3FPSQJO6QDYH4CUXRUFO5LR3E/
Re: [PATCH] avoid \xZZ in mirrorlist urls
On May 13, 2010, at 12:05 AM, Matt Domsch wrote: OK, having spent a few more hours, I don't need the RewriteRule. Yea! I just need to convert to unicode, and leave it in unicode. Malformed requests fail lookups as would be expected and return the you asked for an invalid repo or arch message. Good requests return the mirrorlist. All is swimmingly. commit 9251a20e8ff8239bae2c74e64ad20a4645423ae9 Author: Matt Domsch matt_dom...@dell.com Date: Wed May 12 22:59:46 2010 -0500 mirrorlist_client: leave query params as utf8 diff --git a/mirrorlist-server/mirrorlist_client.wsgi b/mirrorlist-server/mirrorlist_client.wsgi index 3508f19..36077a1 100755 --- a/mirrorlist-server/mirrorlist_client.wsgi +++ b/mirrorlist-server/mirrorlist_client.wsgi @@ -93,7 +93,7 @@ def request_setup(request): for k, v in d.iteritems(): try: -d[k] = unicode(v, 'utf8', 'ignore').encode('utf8') +d[k] = unicode(v, 'utf8', 'replace') except: pass return d +1 ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure