The Kata Containers community has moved off of IRC. In the attempt
to archive the IRC channels this patch removes logging for them by
removing the #kata-dev and #kata-general channels from the
inventory/service/group_vars/eavesdrop.yaml file.
Change-Id: I7af3ba965abb6f7852addf40f8d2112b211557ef
Signed-off-by: Ildiko Vancsa <ildiko.vancsa@gmail.com>
This change removes review02 from our inventory and configuration
management. This should be landed after we're confident we're unlikely
to need to roll back to that server. That said if we do rollback before
the server is cleaned up reverting this change isn't too bad.
Change-Id: Ica14ae92c4c1ef6db76acef93d6d65977aab4def
This adds review03 to cacti, zuul known_hosts, and
infra-prod-service-review file matchers. This catches us up with
review02's old state before we start to clean up review02 which may be
in a few days.
Change-Id: I8b58febd16af6c4c8ed13d21b9758a3b65812129
This adds the remaining in-service openstack clouds to the zuul
config for use by the zuul-launcher.
Change-Id: I5475a9ec3914c1fee672a3de8d9baf888ee46fd2
The web bot crawlers have discovered port 3000 and have brought gitea09
to its knees. Block port 3000 access and force traffic through the
proxies which help moderate things better.
Change-Id: I16f55a7ebb222466b8823cfee7c4ac8c628ff5b1
We've moved all our resources to the new project now, so no longer
need old cloud and hostvar references.
Also include some comments about manual adjustments we made to the
MTU in the new projects.
Change-Id: I0bca50f2193d89fffd3ca20c8f8fc79e376eebb1
The new projects/tenants we have in Rackspace Flex DFW3 and SJC3
regions still need private networks and routers in order to bind
floating IPs on server instances. Add them to our cloud-launcher
config so they'll get created the next time it runs.
Change-Id: I63a41c23d4b5b4f0e2c37afae48032db44bc30ed
With the introduction of the DFW3 region, there are new projects
consistent across all regions. We want to switch to using those, but
right now our existing resources are in a legacy project that only
exists in the SJC3 region. Add the new projects to our bridge config
for both regions as new clouds, and remove the nonfunctional DFW3
from the old one for clarity. Once we've built up new resources and
cleaned up the old project in SJC3, we can clean up the entries
associated with it.
Change-Id: I66beaae4a6d53ad07293300153a2d4b8da33cc9f
The OpenInfra Foundation is switching from openinfra.dev to
openinfra.org, so move all the mailing lists to prefer the new
addresses and URLs while still supporting the previous ones.
Also add some redirect testing to exercise the Apache rewrites.
Change-Id: Ic10d6519e2a1c4ddab38fdb3119cc20ee62ca741
Thiss adds vexxhost as a second openstack cloud connection to the
zuul launcher. This will help us benchmark image times for "raw"
images.
Change-Id: Ifdab5abb9915f384482eda844194f77e8d1b80ca
Since these are not globally routable addresses anyway, we might as
well use a larger network so that we're not constrained by the
subnet size later if we get more than 253 servers worth of quota.
This should be safe since the network is not presently in use for
anything outside of Rackspace Flex, which we haven't hooked up to
Nodepool yet. A cursory search of subset CIDRs also indicates
addresses in this range aren't being configured on virtual
interfaces for existing tests.
Change-Id: Ic32cbc0b24d037c67a5c2f8dd2834013017b8c87
The default environment for Rackspace Flex requires user-created
Neutron networks. Add our custom subnets connected to the provider
network "PUBLICNET" with our usual keypairs and open security
groups.
This is based on Clark's change several years ago for the old
InMotion cloud: I2aed6dffde4a1d6e3044c4bd8df4ca60065ae1ea
Change-Id: I8878ff36381d1e82d3bb5180e72a7eec1ce28056
Years ago, while combating a rather nasty and prolonged bout of spam
to mailing list owner addresses, we added configuration to silently
drop any messages for them. That had a side-effect of also
discarding list moderation notifications. As the spam wave subsided
some time back and the primary manager of the edge-computing mailing
list would like to start receiving these notifications once more,
we're removing the line responsible from our listserv's MTA
configuration.
We could consider doing the same for other lists, but since the
sudden arrival of new notifications after years of silence may be a
surprise, we need to think about that more carefully before doing
so.
Change-Id: I10e371e22fd560f133445ce8d17f1c3a2698e839
This removes ansible configuration for the linaro cloud itself and the
linaro cloud mirror. This cloud is in the process of going away and
having these nodes in our inventory is creating base jobs failures due
to unreachable nodes. This then dominoes into not running the LE refresh
job and now some certs are not getting renewed. Clean this all up so
that the rest of our systems are happy.
Note that we don't fully clean up the idea of an unmanaged group as
there may be other locations we want to do something similar (OpenMetal
perhaps?). We also don't remove the openstack clouds.yaml entries for
the linaro cloud yet. It isn't entirely clear when things will go
offline, but it may be as late as August 10 so we keep those credentials
around as they may be useful until then.
Change-Id: Idd6b455de8da2aa9901bf989b1d131f1f4533420
In change I9e21eb19b85c9a4b19f5e6c5d03a89c89028bbc4 we incorrectly
adjusted Exim's smtp_accept_max_per_host option from 10 to 50 rather
than setting the smtp_accept_queue_per_connection option we actually
needed. Add this parameter as a new tunable in the role, set the
other option back to its prior value, and update comment references
accordingly.
Change-Id: I13f0275202eba8b5190a76bff921f1ac5adbeea0
In order to avoid tripping Exim's threshold for punting deliveries
to periodic queue processing, make sure to set Mailman's
mta.max_recipients value less than Exim's smtp_accept_max_per_host.
This should eliminate the "no immediate delivery: more than X
messages received in one connection" errors in Exim's mainlog.
While we're at it, increase both for greater throughput.
Change-Id: I9e21eb19b85c9a4b19f5e6c5d03a89c89028bbc4
This removes management of the inmotion cloud mirror and cloud launcher
configs in prepration for retirement of this cloud. We don't remove the
cloud from clouds.yaml files as it is a bit more ambiguous as to how
long that will be useful (potentially necessary for manual cleanup
steps). Instead when we get around to adding openmetal after inmotion
has been shutdown and resurrected as a new openmetal cloud we can
replace clouds.yaml config then.
This cleanup is necessary to avoid errors when the cloud goes away. We
will be working with OpenMetal to make this happen. It shouldn't matter
if we land this before or after the project-config changes for nodepool
cleanup as things are decoupled sufficiently well.
Change-Id: I9d224318a9cfac35b867babff92e1071ca23c574
There is some ancient redirect we don't control somewhere in Liquid
Web's IP space which has been serving a redirect from
api.openstack.org to developer.openstack.org for who knows how long.
Since we already have a farm of redirect vhosts for other sites on
static.openstack.org, add this one as well so we can clean up this
strange and confusing external dependency.
Change-Id: I8051121761366ccbd07f3795c9aecc766f9fb7ff
In testing jammy updates we discovered that this value need to match
so that websockets are directed to the correct host.
Change-Id: Id44bf92edff411389f05a652dad2ae78607e4d55
This notably drops pabelanger and mordred (thank you for all the help!),
changes clarkb's, frickler's and fungi's keys, and adds tonyb's key.
Once this is applied to our clouds we can update nodepool configs.
Change-Id: I9f1b205099285a5e735b2f9c8f85a3b3d3666dd5
This will stop us from trying to add old versions of infra-root-keys to
new clouds. I'm fairly certain this won't remove them from existing
clouds (something we can do manually after this change lands). All of
the nodepool nodes seem to use the latest 2020 version so this should be
safe for running workloads.
Change-Id: I105cf90e1ff2571c8962abfbc6c747e42e899853
We should really be backing this up before it begins to get used by
additional services. Also, since our newer deployment uses a
separate RDBMS, back that up safely.
Change-Id: I4510dd05204f4b0f450d1925ed7be148d7d73e6e
This includes a switch from the "legacy" style Wildfly-based image
to a new setup using Quarkus.
Because Keycloak maintainers consider H2 databases as a test/dev
only option, there are no good migration and upgrade paths short of
export/import data. Go ahead and change our deployment model to rely
on a proper RDBMS, run locally from a container on the same server.
Change-Id: I01f8045563e9f6db6168b92c5a868b8095c0d97b
The OpenInfra Labs pilot project was closed down by mutual agreement
of the OpenInfra Foundation and former project contributors[*]. Its
mailing list will no longer be used. Reject any future posts at the
MTA in order to avoid creating the backscatter which would result if
Mailman itself were configured to bounce messages or send notices.
[*] https://lists.opendev.org/archives/list/openinfralabs@lists.opendev.org/thread/FHFSNRS5ZOWW7LJCKSMXT3HVPMSTSUEA/
Change-Id: I40c1568928399e86ac4ab501040ded6874172243
This should have the side effect of removing the older smaller key from
gitea. This is now safe as we have just restarted gerrit to pick up new
configuration forcing it to replicate with the new key. We know it isn't
using the old key because we moved the old key aside during the restart.
This is being done so that the gitea 1.21 upgrade can be made without
disabling key verification in gitea.
Change-Id: I1bad1dda2adf32c5c01b8b5f134130d887d8ec06
We use a new larger rsa key so that gitea checks on key size don't fail
when we upgrade gitea to 1.21 or newer. We did consider an ed25519 key
isntead but those keys can only be generated in the new openssh key file
format and there is some question around whether or not Gerrit's
replication plugin (ultimately MINA ssh client) can read those files. To
be safe we stick with what we know works and simply increase the bit
count.
Change-Id: I51e97e8545a54202b05f32de70c0715083954119
The OpenInfra Foundation executive team is requesting creation of
new mailing lists on lists.openinfra.dev for the foundation's new
Asia hub. One list will have an open subscription policy and
publicly available archives, while the other will be utilized by the
advisory board for any sensitive topics that must be kept private.
Change-Id: Ie8b6b21b27dfaf932267266f644e7bd8c2f03981
A different group than the FLOSS MOOC looking for a place
to have asynch discussions around setting up and maintaining
OSS mentorship programs at academic institutions.
Change-Id: I41c83b65ff85f7d7048570ddfe0f793613e39e34
This change refactors how gerrit's key(s) in gitea are managed. The
motivation behind this is to allow us to do key rotation with overlap in
accepted keys. To do this we first check whcih keys are present. Then
any missing keys are added. Finally we remove any keys which are not in
our key options.
This also corrects a bug where replacing keys would've required two
Ansible passed to delete the old key then add the new key. All keys
should be properly set in a single Ansible pass with this update.
Change-Id: I1eaf5ae89542e3e4f479c77e4df72a34d65d9c46
This project didn't proceed past the test phase,
let's clean it up.
Revert "Add a functional test for registry.zuul-ci.org"
This reverts commit e701fdd3ca1d798bd912b19e91e154e8a88f43b8.
Revert "Add testinfra for registry.zuul-ci.org"
This reverts commit e00f4e59b39cabc3e33823a957d3623dce06f9c4.
Revert "Add static site for registry.zuul-ci.org"
This reverts commit 31b505d3ba29f751b8f02ff365ee6de6b5d350f9.
Revert "Add SSL cert for registry.zuul-ci.org"
This reverts commit d0a8473d42bb0ee3ab1cc8bffbf5bb2fea90f755.
Change-Id: I1d39306187c7b2d7a908389f88d1a60e1b29ffe3
Now that we no longer run a Mailman v2 server, we can drop all the
automation we used for deploying and maintaining it.
Change-Id: I522cdbef86d1fe491d446e4b721a7873564c927a
