Re: Retroactive FBR
On Fri, Sep 22, 2017 at 05:20:57PM -0500, Dennis Gilmore wrote: > El vie, 22-09-2017 a las 17:38 -0400, Paul W. Frields escribió: > > I want to apologize profusely -- I pushed a tiny change to the email > > aliases and completely failed to consider they are covered by FBR > > requirement. > > > > https://infrastructure.fedoraproject.org/cgit/ansible.git/commit/?id= > > fe766d267f4e3149b2931573216de96db8406101 > > > > Kushal's no longer at Red Hat effective COB today, and AIUI this > > alias > > sometimes is used for internally destined info like billing or other > > contact. > > > > So I'm seeking retroactive +1 and promise to give myself 50 lashes > > with a wet noodle. > > > > Does Robyn need to be in that list still? Probably not. I'll go over it again and revise but not until post-freeze. ;-) -- Paul W. Frieldshttp://paul.frields.org/ gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233 5906 ACDB C937 BD11 3717 http://redhat.com/ - - - - http://pfrields.fedorapeople.org/ The open source story continues to grow: http://opensource.com ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Re: New Freeze break request: re-enable git:// on pkgs
+1 On Tue, Sep 26, 2017 at 11:26 AM, Stephen John Smoogenwrote: > +1. > > On 26 September 2017 at 11:22, Kevin Fenzi wrote: >> On 09/25/2017 10:58 PM, Till Maas wrote: >>> On Mon, Sep 25, 2017 at 01:54:49PM -0700, Kevin Fenzi wrote: >>> This morning pkgs02 stopped answering to git:// clone urls from koji, breaking builds. >>> >>> Could we make koji also use https:// nowadays? I remember that there was >>> a ticket about this. >> >> That should be all done. koji should always use https now with a valid >> cert. >> systemd was happy after that, but load was still very very high. Looking I found a number of git clones from external ip's. Since there's no reason for this (external people should use https:// clone urls or ssh://) I blocked those except from 10.0.0.0/8. Since this was outage causing for builds I went ahead and did all this, but would like to get retroactive +1s or any adjustments I might have missed. >>> >>> +1 (for no unencrypted services) >> >> Agreed, unfortunately, things don't seem to be ready for git:// to go >> away on pkgs yet. ;( >> >> * fedpkg -a still uses it. The issue there is that it needs to not only >> using https://src but it needs to pass a url to koji that works for >> official builds. See: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1188634 >> >> So, we may need to adjust kojid config on our side or something more >> intrusive. >> >> * chain builds don't work: >> >> Could not execute chainbuild: Got an error finding master head for >> : fatal: unable to connect to pkgs.fedoraproject.org: >> >> So, I'd like to revert this until after the freeze when we can actually >> have fedpkg fixed and ready for it. >> >> Note that if we start getting hammered from any specific IP's, we could >> specifically block them for now. >> >> +1s to apply this and monitor? >> >> diff --git a/inventory/group_vars/pkgs b/inventory/group_vars/pkgs >> index c0435a0..7552654 100644 >> --- a/inventory/group_vars/pkgs >> +++ b/inventory/group_vars/pkgs >> @@ -8,7 +8,7 @@ tcp_ports: [80, 443, >> 3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007, >> 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015] >> >> -custom_rules: [ '-A INPUT -s 10.0.0.0/8 -p tcp -m tcp --dport 9418 -j >> ACCEPT'] >> +custom_rules: [ '-A INPUT -p tcp -m tcp --dport 9418 -j ACCEPT'] >> >> # Definining these vars has a number of effects >> # 1) mod_wsgi is configured to use the vars for its own setup >> >> kevin >> >> >> ___ >> infrastructure mailing list -- infrastructure@lists.fedoraproject.org >> To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org >> > > > > -- > Stephen J Smoogen. > ___ > infrastructure mailing list -- infrastructure@lists.fedoraproject.org > To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Re: New Freeze break request: re-enable git:// on pkgs
+1. On 26 September 2017 at 11:22, Kevin Fenziwrote: > On 09/25/2017 10:58 PM, Till Maas wrote: >> On Mon, Sep 25, 2017 at 01:54:49PM -0700, Kevin Fenzi wrote: >> >>> This morning pkgs02 stopped answering to git:// clone urls from koji, >>> breaking builds. >> >> Could we make koji also use https:// nowadays? I remember that there was >> a ticket about this. > > That should be all done. koji should always use https now with a valid > cert. > >>> systemd was happy after that, but load was still very very high. Looking >>> I found a number of git clones from external ip's. Since there's no >>> reason for this (external people should use https:// clone urls or >>> ssh://) I blocked those except from 10.0.0.0/8. >>> >>> Since this was outage causing for builds I went ahead and did all this, >>> but would like to get retroactive +1s or any adjustments I might have >>> missed. >> >> +1 (for no unencrypted services) > > Agreed, unfortunately, things don't seem to be ready for git:// to go > away on pkgs yet. ;( > > * fedpkg -a still uses it. The issue there is that it needs to not only > using https://src but it needs to pass a url to koji that works for > official builds. See: > > https://bugzilla.redhat.com/show_bug.cgi?id=1188634 > > So, we may need to adjust kojid config on our side or something more > intrusive. > > * chain builds don't work: > > Could not execute chainbuild: Got an error finding master head for > : fatal: unable to connect to pkgs.fedoraproject.org: > > So, I'd like to revert this until after the freeze when we can actually > have fedpkg fixed and ready for it. > > Note that if we start getting hammered from any specific IP's, we could > specifically block them for now. > > +1s to apply this and monitor? > > diff --git a/inventory/group_vars/pkgs b/inventory/group_vars/pkgs > index c0435a0..7552654 100644 > --- a/inventory/group_vars/pkgs > +++ b/inventory/group_vars/pkgs > @@ -8,7 +8,7 @@ tcp_ports: [80, 443, > 3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007, > 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015] > > -custom_rules: [ '-A INPUT -s 10.0.0.0/8 -p tcp -m tcp --dport 9418 -j > ACCEPT'] > +custom_rules: [ '-A INPUT -p tcp -m tcp --dport 9418 -j ACCEPT'] > > # Definining these vars has a number of effects > # 1) mod_wsgi is configured to use the vars for its own setup > > kevin > > > ___ > infrastructure mailing list -- infrastructure@lists.fedoraproject.org > To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org > -- Stephen J Smoogen. ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
New Freeze break request: re-enable git:// on pkgs
On 09/25/2017 10:58 PM, Till Maas wrote: > On Mon, Sep 25, 2017 at 01:54:49PM -0700, Kevin Fenzi wrote: > >> This morning pkgs02 stopped answering to git:// clone urls from koji, >> breaking builds. > > Could we make koji also use https:// nowadays? I remember that there was > a ticket about this. That should be all done. koji should always use https now with a valid cert. >> systemd was happy after that, but load was still very very high. Looking >> I found a number of git clones from external ip's. Since there's no >> reason for this (external people should use https:// clone urls or >> ssh://) I blocked those except from 10.0.0.0/8. >> >> Since this was outage causing for builds I went ahead and did all this, >> but would like to get retroactive +1s or any adjustments I might have >> missed. > > +1 (for no unencrypted services) Agreed, unfortunately, things don't seem to be ready for git:// to go away on pkgs yet. ;( * fedpkg -a still uses it. The issue there is that it needs to not only using https://src but it needs to pass a url to koji that works for official builds. See: https://bugzilla.redhat.com/show_bug.cgi?id=1188634 So, we may need to adjust kojid config on our side or something more intrusive. * chain builds don't work: Could not execute chainbuild: Got an error finding master head for : fatal: unable to connect to pkgs.fedoraproject.org: So, I'd like to revert this until after the freeze when we can actually have fedpkg fixed and ready for it. Note that if we start getting hammered from any specific IP's, we could specifically block them for now. +1s to apply this and monitor? diff --git a/inventory/group_vars/pkgs b/inventory/group_vars/pkgs index c0435a0..7552654 100644 --- a/inventory/group_vars/pkgs +++ b/inventory/group_vars/pkgs @@ -8,7 +8,7 @@ tcp_ports: [80, 443, 3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015] -custom_rules: [ '-A INPUT -s 10.0.0.0/8 -p tcp -m tcp --dport 9418 -j ACCEPT'] +custom_rules: [ '-A INPUT -p tcp -m tcp --dport 9418 -j ACCEPT'] # Definining these vars has a number of effects # 1) mod_wsgi is configured to use the vars for its own setup kevin signature.asc Description: OpenPGP digital signature ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
[release] MirrorManager2: 0.8.3
On Tue, Sep 26, 2017 at 08:18:21AM +0200, Adrian Reber wrote: > A new release of MirrorManager2 is available: 0.8.2 > > - detect and setup mirrorlist/metalinks for modular Fedora > https://github.com/fedora-infra/mirrormanager2/pull/220 > - umdl: only create repositories for 'Everything' > https://github.com/fedora-infra/mirrormanager2/pull/219 > - Correctly detect repositories > https://github.com/fedora-infra/mirrormanager2/pull/218 > > The main reason for the release are the changes to detect the > modular release directory tree correctly. After trying the 0.8.2 release in staging a few small changes were necessary to correctly detect the 'modular' repositories. These changes are in the 0.8.3 release: - umdl: fix 'modular' repository detection https://github.com/fedora-infra/mirrormanager2/pull/221 Now that 0.8.3 is running in staging the following repositories have been created/found: # repo=modular-bikeshed-server=aarch64 # repo=modular-bikeshed-server=armhfp # repo=modular-bikeshed-server=i386 # repo=modular-bikeshed-server=ppc64 # repo=modular-bikeshed-server=ppc64le # repo=modular-bikeshed-server=s390x # repo=modular-bikeshed-server=x86_64 # repo=modular-bikeshed-server-debug=aarch64 # repo=modular-bikeshed-server-debug=armhfp # repo=modular-bikeshed-server-debug=i386 # repo=modular-bikeshed-server-debug=ppc64 # repo=modular-bikeshed-server-debug=ppc64le # repo=modular-bikeshed-server-debug=s390x # repo=modular-bikeshed-server-debug=x86_64 # repo=modular-bikeshed-server-source=source Adrian signature.asc Description: PGP signature ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Re: Retroactive freeze break: pkgs02
On Mon, Sep 25, 2017 at 01:54:49PM -0700, Kevin Fenzi wrote: > Greetings. > > This morning pkgs02 stopped answering to git:// clone urls from koji, > breaking builds. > > We investigated, but the machine was in a very weird state. > Systemd was unable to talk to itself (systemctl/reboot didn't work, and > journald wasn't logging new entries) and it was under very high load. > > So, I applied updates to it and power cycled it. > > systemd was happy after that, but load was still very very high. Looking > I found a number of git clones from external ip's. Since there's no > reason for this (external people should use https:// clone urls or > ssh://) I blocked those except from 10.0.0.0/8. > > Since this was outage causing for builds I went ahead and did all this, > but would like to get retroactive +1s or any adjustments I might have > missed. Thanks for taking care of this +1 I wonder if this weird systemd state isn't something we hit earlier when we were deploying pagure there. Pierre signature.asc Description: PGP signature ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Re: [FBR] Make cvsadmin the admin group for dist-git pagure
On Sun, Sep 24, 2017 at 10:42:37PM +0200, Till Maas wrote: > From bc61c3e99fff2c30cce9300a1d70761ec5a42dfc Mon Sep 17 00:00:00 2001 > From: Till Maas> Date: Fri, 22 Sep 2017 21:46:47 +0200 > Subject: [PATCH] Make cvsadmin group admin for dist-git pagure This is now deployed. Kind regards Till ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
[release] MirrorManager2: 0.8.2
A new release of MirrorManager2 is available: 0.8.2 - detect and setup mirrorlist/metalinks for modular Fedora https://github.com/fedora-infra/mirrormanager2/pull/220 - umdl: only create repositories for 'Everything' https://github.com/fedora-infra/mirrormanager2/pull/219 - Correctly detect repositories https://github.com/fedora-infra/mirrormanager2/pull/218 The main reason for the release are the changes to detect the modular release directory tree correctly. Adrian signature.asc Description: PGP signature ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org