Since ssl.wrap_context has been removed in Python 3.12,
switch that out with SSLContext.wrap_context instead.
Change-Id: Ic3d7250937544e3a1eda3276db8ed43972735b98
Co-Authored-By: Clark Boylan <clark.boylan@gmail.com>
Depends-On: https://review.opendev.org/945662
This upgrades us from gitea 1.23.5 to 1.23.6. The templates we override
do not change between these versions in gitea proper so no template
updates are necessary. This appears to largely be a bugfix release.
The full release notes can be seen here:
https://github.com/go-gitea/gitea/blob/v1.23.6/CHANGELOG.md
The main change that stands out to me is:
https://github.com/go-gitea/gitea/pull/33992
As that modifies the indexer which has been the source of memory issues
in the past. However, this looks like a straightforward update and is
probably fine.
Change-Id: I3a47380a2e9107bb2dca1b0a3d66c44249ee60c3
At this point all four of these servers have been replaced by new Noble
nodepool launchers. When we are happy with the new servers we should
land this change and remove the other servers from our inventory so that
they can be deleted.
Change-Id: Ia0b39aae8f6cfa139a81877554c34bb5b8e5cb1a
This server replaces nl01 as a new nodepool launcher. We do nl05 last
because nl01/nl05 provide the greatest amount of nodepool capacity via
rackspace's various regions. We should deploy this server when we are
happy with the other three.
Change-Id: I073121fc74bc6665de669819a51841925d6be9f4
These two servers replace nl03 and nl04 respectively. We're doing the
launcher replacement in batches to avoid excessively reducing our
capacity if something goes wrong in the deployment. nl06 seems to have
deployed properly so lets proceed to nl07 and nl08.
Change-Id: I56a5280e69f36c6df3c36c9c9a3a0f2d0bfcd4f8
This adds a new Noble nodepool launcher node, nl06, to replace nl02.
When this change lands I will put nl02 in the emergency file and
manually shutdown services on it. This should allow nl06 to come up with
its config and take over management of openmetal provider resources.
While we are at it we update the system-config-run-nodepool testing to
deploy a noble nl05. That doesn't exactly match this change but nl05
will replace nl01 soon enough. We just need to update CI to ensure that
we can deploy a nodepool launcher on Noble before we actually attempt to
do so in production.
Depends-On: https://review.opendev.org/c/opendev/zone-opendev.org/+/945364
Depends-On: https://review.opendev.org/c/openstack/project-config/+/945359
Change-Id: I18db9f57bd41ed2a57c545f02ac0113bb8b4d9de
This old mirror01 host has been replaced by a new Noble mirror02 host.
Pull this server out of configuration management so that it can be
deleted.
Depends-On: https://review.opendev.org/c/opendev/zone-opendev.org/+/945254
Change-Id: I9cc6b5b36641cced02be82a5d8405f02a06ea05b
This is a new Noble mirror that will replace the old mirror. We update
the inventory test cases to stop matching the old mirror because that
old mirror will eventually be removed from the inventory. Otherwise this
is a pretty standard mirror replacement.
Depends-On: https://review.opendev.org/c/opendev/zone-opendev.org/+/945230
Change-Id: Ib18d834e16ebeec75fb7f16e1dc83b357efb646c
On Ubuntu Noble we run `docker compose` instead of `docker-compose`.
This newer tool ignores the version set in docker-compose.yaml files and
emits a warning when it is set. Clean up this version on services that
only run with `docker compose` and not `docker-compose`.
Change-Id: I08ce1f2ddc6a07fd47b4524af21255c1c4903785
These servers have been replaced by new Noble servers (nb05, nb06,
nb07). These new servers have managed to build every one of our current
images except for gentoo, openeuler, and openeuler arm64. These three
images weren't building on the old system either.
There is a small amount of concern that removing the old servers without
letting them clean up the database after themselves may orphan some
zookeeper database records. However the current rockylinux-9 images were
both built by nb05 or nb06 and we don't have any old records from nb01
or nb02 remaining so it seems nodepool cleans up after itself properly.
Worst case we can probably do manual database edits.
We also remove the version specifier in the docker-compose.yaml file as
`docker compose` ignores it and emits a warning when it is present. Once
this change lands all of our nodepool builders will use `docker compose`
instead of `docker-compose` making this a safe cleanup.
Change-Id: Iab8d2b6493b78cc3711d64119da2da5d3456a25a
This adds the remaining in-service openstack clouds to the zuul
config for use by the zuul-launcher.
Change-Id: I5475a9ec3914c1fee672a3de8d9baf888ee46fd2
In order to discard nodes not capable of running centos 9 launch node
discards x86_64 nodes that don't support sse4_2. However, this check
doesn't make sense for aarch64 nodes (like our arm nodepool builder).
Only check sse4_2 support when the machine type is x86_64.
Change-Id: If06c834be5e7189ddd8ee5b746f50e7bdb9f95d3
This is a followup to the prior fix that addressed the path issue. Now
we have the problem of docker-compose attempting to allocate a tty (the
default) which isn't possible by default under cron. We don't need a tty
so we pass -T to disable tty allocation in the first place.
I should've caught this the last time around but my testing didn't catch
it because I was running from a shell.
Change-Id: I57797c8d140335d9edcdcd324239fdefb09882d4
This is a semi regular update to the base python container images.
Should pick up updates to the base debian OS as well as the python
installation.
Since newer versions of uWSGI don't seem to build on aarch64, we stop
building containers for that arch.
Change-Id: Ib1cd2197cbfc96b707860cfa3946108da05bd697
As docker-compose resides in /usr/local/bin, which is not in the
default PATH for crontabs, use the full path to the executable.
Change-Id: I26e4147c4d2e964ff1c91831cf326222b92147bf
This adds two new Noble nodepool builders to our inventory. When we
deploy these two servers we will shutdown services on nb01 and nb02 and
put those older servers in the emergency file to force the new Noble
nodes to build images. This should give us a safe way to rollforward
onto the new platform and catch any problems.
Depends-On: https://review.opendev.org/c/opendev/zone-opendev.org/+/944794
Change-Id: Icbb48404ff11a1c887a0184fc60ae2ff6f7a3409
As we rollout Noble nodes we have to maintain compatiblity between focal
with docker-compose and noble with docker compose. One difference is the
default container names change between them. We can work around that by
using docker compose commands to refer to the logical container rather
than the specific container.
Update the nodepool builder image export cron job to use docker-compose
exec instead of docker exec for this reason.
Change-Id: Iba2e395cf1792096c629ab74f849d55e96d74329
As we start to rollout python3.12 container images I've discovered that
we aren't mirroring python3.12 tags for the base python container images
to quay. This is currently impeding lodgeit container image updates, but
may affect others as python3.12 becomes more common.
Let's mirror these tags and solve the problem.
Change-Id: Ic9283f806ef85168368572ced38861bec4764019
This changes the python runtime in our container image for accessbot
from python3.11 to 3.12. We can't stick with python3.11 forever and need
to move forward at some point.
Change-Id: I9566d4c030c85f069d284eb054ce64e3316bbd3a
This removes the old mirror01 vexxhost mirrors from config management.
The old mirror02 mirrors were removed when we added mirror03 nodes. With
both pairs out of configuration management we can cleanup DNS then
delete the servers and their volumes.
Change-Id: I6f2d914ee8fbf9358b182b05c91fe97bc7edcc5b
The mirror02 mirrors were booted on flavors that were much larger than
necessary and didn't have external volumes attached for teh cache
content. I've gone ahead and booted replacement Noble nodes using a
smaller flavor naming them mirror03 and attached a volume to each one
for caching.
We pull mirror02 out of the inventory as we don't need it anymore
(mirror01 is in use in production and will be cleaned up in followups).
Depends-On: https://review.opendev.org/c/opendev/zone-opendev.org/+/944150
Change-Id: Ice9b4e79bfde5a8364d084c7434b848805d8ecfd
The max of 2 seems to be working well and system load on bridge has
remained reasonable. Double this again to 4 as it appears that should be
a safe limit load wise on bridge.
Change-Id: I9afcd76fae0cf0bc28c00fa44dd4390a99372185
The web bot crawlers have discovered port 3000 and have brought gitea09
to its knees. Block port 3000 access and force traffic through the
proxies which help moderate things better.
Change-Id: I16f55a7ebb222466b8823cfee7c4ac8c628ff5b1
Currently this logs to /var/log/ansible.log via the log_path setting
in the Ansible config, and we also redirect output to a file. The
stdout dump is the primary debugging method, and contains the same
info as what is put into /var/log/ansible.log by Ansible logging.
Instead, set ANSIBLE_LOG_PATH to /dev/null these logs, and just save
the stdout output. While we're here, save stderr too.
This way if you manually run Ansible on bridge you've got logging by
default, but this should stop multiple runs of production Ansible via
Zuul all mushing together thier output into a fairly useless global
log file.
Change-Id: Iae32f501dc718f9bbfd403c6857ca7c8dc8767de
The gitea-lb, zuul-lb, and zookeeper deployments rely on statsd sidecar
images to collect and report metrics to statsd. We should trigger the
infra-prod deployment jobs for these services when those images update.
We make a noop timestamp update to each Dockerfile to exercise that
update via this change.
Change-Id: I1ffd57d386812560c72861bf66a10c1822a25217
The puppet services may depend on LE certs. Ensure that puppet has a
soft dependency on letsencrypt so that LE certs can be put into place
before puppet attempts to manipulate them.
Change-Id: Iec676b63d7e07bbf6841492139abf549494fa0f5
Bump the semaphore for infra-prod jobs to max: 2 so that up to two infra
prod jobs can run in parallale on bridge at the same time. Note we
should land this after we are happy with the new setup's locking and
pausing.
Change-Id: Icce98bb495d5edd9256f8e1d65d88b2f9d879132
The required-projects list is necessary for bootstrap-bridge to know
which repos to update on bridge. Since bootstrap-bridge doesn't know
which child jobs will followup we update the four repos that bridge
depends on.
Change-Id: Ib31c67a20021665105b2567a65b94f7510e87d5b
This is a followup to the parent change to continue to convert images
over to python3.12 from python3.11.
Change-Id: I44e7828728e86becbab41fc68b64a9ccb7a916a1
