Re: Retroactive FBR

2017-09-26 Thread Paul W. Frields 
On Fri, Sep 22, 2017 at 05:20:57PM -0500, Dennis Gilmore wrote:
> El vie, 22-09-2017 a las 17:38 -0400, Paul W. Frields escribió:
> > I want to apologize profusely -- I pushed a tiny change to the email
> > aliases and completely failed to consider they are covered by FBR
> > requirement.
> > 
> > https://infrastructure.fedoraproject.org/cgit/ansible.git/commit/?id=
> > fe766d267f4e3149b2931573216de96db8406101
> > 
> > Kushal's no longer at Red Hat effective COB today, and AIUI this
> > alias
> > sometimes is used for internally destined info like billing or other
> > contact.
> > 
> > So I'm seeking retroactive +1 and promise to give myself 50 lashes
> > with a wet noodle.
> > 
> 
> Does Robyn need to be in that list still?

Probably not.  I'll go over it again and revise but not until
post-freeze. ;-)

-- 
Paul W. Frieldshttp://paul.frields.org/
  gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233  5906 ACDB C937 BD11 3717
  http://redhat.com/   -  -  -  -   http://pfrields.fedorapeople.org/
The open source story continues to grow: http://opensource.com
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org

Re: New Freeze break request: re-enable git:// on pkgs

2017-09-26 Thread Ricky Elrod 
+1


On Tue, Sep 26, 2017 at 11:26 AM, Stephen John Smoogen  wrote:
> +1.
>
> On 26 September 2017 at 11:22, Kevin Fenzi  wrote:
>> On 09/25/2017 10:58 PM, Till Maas wrote:
>>> On Mon, Sep 25, 2017 at 01:54:49PM -0700, Kevin Fenzi wrote:
>>>
 This morning pkgs02 stopped answering to git:// clone urls from koji,
 breaking builds.
>>>
>>> Could we make koji also use https:// nowadays? I remember that there was
>>> a ticket about this.
>>
>> That should be all done. koji should always use https now with a valid
>> cert.
>>
 systemd was happy after that, but load was still very very high. Looking
 I found a number of git clones from external ip's. Since there's no
 reason for this (external people should use https:// clone urls or
 ssh://) I blocked those except from 10.0.0.0/8.

 Since this was outage causing for builds I went ahead and did all this,
 but would like to get retroactive +1s or any adjustments I might have
 missed.
>>>
>>> +1 (for no unencrypted services)
>>
>> Agreed, unfortunately, things don't seem to be ready for git:// to go
>> away on pkgs yet. ;(
>>
>> * fedpkg -a still uses it. The issue there is that it needs to not only
>> using https://src but it needs to pass a url to koji that works for
>> official builds. See:
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1188634
>>
>> So, we may need to adjust kojid config on our side or something more
>> intrusive.
>>
>> * chain builds don't work:
>>
>> Could not execute chainbuild: Got an error finding master head for
>> : fatal: unable to connect to pkgs.fedoraproject.org:
>>
>> So, I'd like to revert this until after the freeze when we can actually
>> have fedpkg fixed and ready for it.
>>
>> Note that if we start getting hammered from any specific IP's, we could
>> specifically block them for now.
>>
>> +1s to apply this and monitor?
>>
>> diff --git a/inventory/group_vars/pkgs b/inventory/group_vars/pkgs
>> index c0435a0..7552654 100644
>> --- a/inventory/group_vars/pkgs
>> +++ b/inventory/group_vars/pkgs
>> @@ -8,7 +8,7 @@ tcp_ports: [80, 443,
>>  3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
>>  3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
>>
>> -custom_rules: [ '-A INPUT -s 10.0.0.0/8 -p tcp -m tcp --dport 9418 -j
>> ACCEPT']
>> +custom_rules: [ '-A INPUT -p tcp -m tcp --dport 9418 -j ACCEPT']
>>
>>  # Definining these vars has a number of effects
>>  # 1) mod_wsgi is configured to use the vars for its own setup
>>
>> kevin
>>
>>
>> ___
>> infrastructure mailing list -- infrastructure@lists.fedoraproject.org
>> To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
>>
>
>
>
> --
> Stephen J Smoogen.
> ___
> infrastructure mailing list -- infrastructure@lists.fedoraproject.org
> To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org

Re: New Freeze break request: re-enable git:// on pkgs

2017-09-26 Thread Stephen John Smoogen 
+1.

On 26 September 2017 at 11:22, Kevin Fenzi  wrote:
> On 09/25/2017 10:58 PM, Till Maas wrote:
>> On Mon, Sep 25, 2017 at 01:54:49PM -0700, Kevin Fenzi wrote:
>>
>>> This morning pkgs02 stopped answering to git:// clone urls from koji,
>>> breaking builds.
>>
>> Could we make koji also use https:// nowadays? I remember that there was
>> a ticket about this.
>
> That should be all done. koji should always use https now with a valid
> cert.
>
>>> systemd was happy after that, but load was still very very high. Looking
>>> I found a number of git clones from external ip's. Since there's no
>>> reason for this (external people should use https:// clone urls or
>>> ssh://) I blocked those except from 10.0.0.0/8.
>>>
>>> Since this was outage causing for builds I went ahead and did all this,
>>> but would like to get retroactive +1s or any adjustments I might have
>>> missed.
>>
>> +1 (for no unencrypted services)
>
> Agreed, unfortunately, things don't seem to be ready for git:// to go
> away on pkgs yet. ;(
>
> * fedpkg -a still uses it. The issue there is that it needs to not only
> using https://src but it needs to pass a url to koji that works for
> official builds. See:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1188634
>
> So, we may need to adjust kojid config on our side or something more
> intrusive.
>
> * chain builds don't work:
>
> Could not execute chainbuild: Got an error finding master head for
> : fatal: unable to connect to pkgs.fedoraproject.org:
>
> So, I'd like to revert this until after the freeze when we can actually
> have fedpkg fixed and ready for it.
>
> Note that if we start getting hammered from any specific IP's, we could
> specifically block them for now.
>
> +1s to apply this and monitor?
>
> diff --git a/inventory/group_vars/pkgs b/inventory/group_vars/pkgs
> index c0435a0..7552654 100644
> --- a/inventory/group_vars/pkgs
> +++ b/inventory/group_vars/pkgs
> @@ -8,7 +8,7 @@ tcp_ports: [80, 443,
>  3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
>  3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
>
> -custom_rules: [ '-A INPUT -s 10.0.0.0/8 -p tcp -m tcp --dport 9418 -j
> ACCEPT']
> +custom_rules: [ '-A INPUT -p tcp -m tcp --dport 9418 -j ACCEPT']
>
>  # Definining these vars has a number of effects
>  # 1) mod_wsgi is configured to use the vars for its own setup
>
> kevin
>
>
> ___
> infrastructure mailing list -- infrastructure@lists.fedoraproject.org
> To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
>



-- 
Stephen J Smoogen.
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org

New Freeze break request: re-enable git:// on pkgs

2017-09-26 Thread Kevin Fenzi 
On 09/25/2017 10:58 PM, Till Maas wrote:
> On Mon, Sep 25, 2017 at 01:54:49PM -0700, Kevin Fenzi wrote:
> 
>> This morning pkgs02 stopped answering to git:// clone urls from koji,
>> breaking builds.
> 
> Could we make koji also use https:// nowadays? I remember that there was
> a ticket about this.

That should be all done. koji should always use https now with a valid
cert.

>> systemd was happy after that, but load was still very very high. Looking
>> I found a number of git clones from external ip's. Since there's no
>> reason for this (external people should use https:// clone urls or
>> ssh://) I blocked those except from 10.0.0.0/8.
>>
>> Since this was outage causing for builds I went ahead and did all this,
>> but would like to get retroactive +1s or any adjustments I might have
>> missed.
> 
> +1 (for no unencrypted services)

Agreed, unfortunately, things don't seem to be ready for git:// to go
away on pkgs yet. ;(

* fedpkg -a still uses it. The issue there is that it needs to not only
using https://src but it needs to pass a url to koji that works for
official builds. See:

https://bugzilla.redhat.com/show_bug.cgi?id=1188634

So, we may need to adjust kojid config on our side or something more
intrusive.

* chain builds don't work:

Could not execute chainbuild: Got an error finding master head for
: fatal: unable to connect to pkgs.fedoraproject.org:

So, I'd like to revert this until after the freeze when we can actually
have fedpkg fixed and ready for it.

Note that if we start getting hammered from any specific IP's, we could
specifically block them for now.

+1s to apply this and monitor?

diff --git a/inventory/group_vars/pkgs b/inventory/group_vars/pkgs
index c0435a0..7552654 100644
--- a/inventory/group_vars/pkgs
+++ b/inventory/group_vars/pkgs
@@ -8,7 +8,7 @@ tcp_ports: [80, 443,
 3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]

-custom_rules: [ '-A INPUT -s 10.0.0.0/8 -p tcp -m tcp --dport 9418 -j
ACCEPT']
+custom_rules: [ '-A INPUT -p tcp -m tcp --dport 9418 -j ACCEPT']

 # Definining these vars has a number of effects
 # 1) mod_wsgi is configured to use the vars for its own setup

kevin



signature.asc
Description: OpenPGP digital signature
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org

[release] MirrorManager2: 0.8.3

2017-09-26 Thread Adrian Reber 
On Tue, Sep 26, 2017 at 08:18:21AM +0200, Adrian Reber wrote:
> A new release of MirrorManager2 is available: 0.8.2
> 
> - detect and setup mirrorlist/metalinks for modular Fedora
>   https://github.com/fedora-infra/mirrormanager2/pull/220
> - umdl: only create repositories for 'Everything'
>   https://github.com/fedora-infra/mirrormanager2/pull/219
> - Correctly detect repositories
>   https://github.com/fedora-infra/mirrormanager2/pull/218
> 
> The main reason for the release are the changes to detect the
> modular release directory tree correctly.

After trying the 0.8.2 release in staging a few small changes were
necessary to correctly detect the 'modular' repositories. These changes
are in the 0.8.3 release:

- umdl: fix 'modular' repository detection
  https://github.com/fedora-infra/mirrormanager2/pull/221

Now that 0.8.3 is running in staging the following repositories have
been created/found:

# repo=modular-bikeshed-server=aarch64
# repo=modular-bikeshed-server=armhfp
# repo=modular-bikeshed-server=i386
# repo=modular-bikeshed-server=ppc64
# repo=modular-bikeshed-server=ppc64le
# repo=modular-bikeshed-server=s390x
# repo=modular-bikeshed-server=x86_64
# repo=modular-bikeshed-server-debug=aarch64
# repo=modular-bikeshed-server-debug=armhfp
# repo=modular-bikeshed-server-debug=i386
# repo=modular-bikeshed-server-debug=ppc64
# repo=modular-bikeshed-server-debug=ppc64le
# repo=modular-bikeshed-server-debug=s390x
# repo=modular-bikeshed-server-debug=x86_64
# repo=modular-bikeshed-server-source=source


Adrian


signature.asc
Description: PGP signature
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org

Re: Retroactive freeze break: pkgs02

2017-09-26 Thread Pierre-Yves Chibon 
On Mon, Sep 25, 2017 at 01:54:49PM -0700, Kevin Fenzi wrote:
> Greetings.
> 
> This morning pkgs02 stopped answering to git:// clone urls from koji,
> breaking builds.
> 
> We investigated, but the machine was in a very weird state.
> Systemd was unable to talk to itself (systemctl/reboot didn't work, and
> journald wasn't logging new entries) and it was under very high load.
> 
> So, I applied updates to it and power cycled it.
> 
> systemd was happy after that, but load was still very very high. Looking
> I found a number of git clones from external ip's. Since there's no
> reason for this (external people should use https:// clone urls or
> ssh://) I blocked those except from 10.0.0.0/8.
> 
> Since this was outage causing for builds I went ahead and did all this,
> but would like to get retroactive +1s or any adjustments I might have
> missed.

Thanks for taking care of this +1

I wonder if this weird systemd state isn't something we hit earlier when we were
deploying pagure there.


Pierre


signature.asc
Description: PGP signature
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org

Re: [FBR] Make cvsadmin the admin group for dist-git pagure

2017-09-26 Thread Till Maas 
On Sun, Sep 24, 2017 at 10:42:37PM +0200, Till Maas wrote:

> From bc61c3e99fff2c30cce9300a1d70761ec5a42dfc Mon Sep 17 00:00:00 2001
> From: Till Maas 
> Date: Fri, 22 Sep 2017 21:46:47 +0200
> Subject: [PATCH] Make cvsadmin group admin for dist-git pagure

This is now deployed.

Kind regards
Till
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org

[release] MirrorManager2: 0.8.2

2017-09-26 Thread Adrian Reber 
A new release of MirrorManager2 is available: 0.8.2

- detect and setup mirrorlist/metalinks for modular Fedora
  https://github.com/fedora-infra/mirrormanager2/pull/220
- umdl: only create repositories for 'Everything'
  https://github.com/fedora-infra/mirrormanager2/pull/219
- Correctly detect repositories
  https://github.com/fedora-infra/mirrormanager2/pull/218

The main reason for the release are the changes to detect the
modular release directory tree correctly.

Adrian


signature.asc
Description: PGP signature
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org