Our base images have pip pre-installed from get-pip. This means
that the installation of pip and virtualenv from distro packages
in the ansible is misleading.
Update the role to match reality.
Change-Id: I500b14f9f9df00b6e0c4f152f8b4c7faa1bb94d4
To make it clear that docker hub is but one of many possible registries,
update our usage of FROM and image: lines to include docker.io in the
path.
There are a few other FROM lines for the gitea images which are handled
in a separate stack.
Change-Id: I6fafd5f659ad19de6951574afc9a6b6a4cf184df
1.10 introduces a PASSWORD_COMPLEXITY setting with a default value
of lower,upper,digit,spec - which requires passwords to have an
upper, lower, digit and special character. Our example password does
not have this, so set the PASSWORD_COMPLEXITY setting. We could
alternately leave it at the default and ensure that our passwords
meet the spec.
The sshd_config file is templated now, so we can set the listen port
via env var.
Change-Id: I6e4b595eabb9c6885d78fff1109ea9f602e89ef7
We need to run bindep before installing git, because otherwise if
a project needs git in its bindep, it won't show up because it'll
be on the build host.
Split the function in two and call them before and after the git
installation.
Change-Id: I316b1bc643eb9293500b31e676361eec7060701d
In the dependent change, the docker roles will add sibling packages to
the .zuul-siblings directory of the checked-out source.
Refactor the "assemble" script to handle this. Essentially we build
the wheel for "." and then iterate over ZUUL_SIBLINGS subdirectories
(set in a --build-arg by the role in dependent change) to also build
the sibling packages. Note we concatenate the bindep.txt files, so
that we end up with the complete package list required by the main
code and its dependencies.
"install-from-bindep" now installs all the wheels, using --force to
make sure we re-install the speculatively built packages.
This means that a single Dockerfile works under Zuul when
ZUUL_SIBLINGS is set, pointing to Zuul's checkouts; but it also works
stand-alone -- in this case ZUUL_SIBLINGS is empty and we just install
from upstream as usual.
Depends-On: https://review.opendev.org/696987
Change-Id: I4943ae723b06b0ad808e7c7f20788109e21aa8bf
We have seen failures issuing keys, but can't see the output of the
letsencrypt wrapper without capturing this logfile. Add it.
Also, when we updated the mirror to "mirror01.openafs." (because we
have WIP for non-openafs kafs mirrors too) we didn't update the
host-vars match for the apache logs either. Fix this.
Change-Id: I810a02d309f473e8c4aa0ce1612088aba7868c33
We are replacing the inap mirror with an bigger instance. The reason for
this is our cinder volume throughput hasn't been quick enough and mgagne
says that we'll get the best performance via local disk. In order to
host the caches we have on local disk we need a bigger root device which
means a bigger flavor.
Change-Id: Id7e641e3b62400f4e1181ef6763a51b9d1e9068c
We switched Fedora to do vos release via ssh with localauth in
I56ecdb2511597197deeeadf51f50da7e02f56954 and it has been working.
Switch the rest of the update scripts. There is an increasing amount
of common code, start a common functions.sh script where we can put
this.
Change-Id: I4ba6d64a84bb66e8686901b16010352de942f303
Use the new vos_release user on the remote host to release the volume
via localauth, to avoid any timeouts.
Change-Id: I56ecdb2511597197deeeadf51f50da7e02f56954
Depends-On: https://review.opendev.org/#/c/695554/
The sudoers parser really, really, *really* doesn't like it when the
last line of data in your file lacks a trailing newline. Add one so
sudo will work again on these servers.
Change-Id: I40fbb535faf5b41cc56c56f09f248eea398df4e0
If you read the man page
# This will cause sudo to read and parse any files in the /etc/sudoers.d
# directory that do not end in '~' or contain a '.' character.
I don't know why sudo doesn't like files with a ".", but remove it
Fix the syntax in this file which has too many spaces
The theory that specifying a command means you can have nologin as
shell is debunked; change the shell to /bin/bash
root@mirror-update01:~# ssh -i ~/.ssh/id_vos_release vos_release@afs01.dfw.openstack.org vos
This account is currently not available.
Don't use shortcuts for positional parameters, suggested by jaltmann
in If70b27cb974eb8c1bafec2b7ef86d4f5cba3c4c5.
After hand applying these fixes, I can log in and run the script as
expected.
Change-Id: I058aadaa5ca5c7b8e94b275c4b8d26e1e0688ce8
I was trying to simplify things by having a restricted shell script
run by root. However, our base-setup called my bluff as we also need
to setup sshd to allow remote root logins from specific addresses.
It's looking easier to create a new user, and give it sudo permissions
to run the vos release script.
Change-Id: If70b27cb974eb8c1bafec2b7ef86d4f5cba3c4c5
I wasn't correctly sourcing the key; it has to come from hostvars as
it is in a different play on different hosts. This fixes it.
We also need to not have the base roles overwrite the authorized_keys
file each time. The key we provision can only run a limited script
that wraps "vos release".
Unfortunately our gitops falls down a bit here because we don't have
full testing for the AFS servers; put this on the todo list :) I have
run this manually for testing.
Change-Id: I0995434bde7e43082c01daa331c4b8b268d9b4bc
Now that opendev.org backends requests certs unique to each backend we
should check these backends directly and not only through the frontend.
This was if a specific backend doesn't end up updating with LE properly
we will catch it.
Change-Id: Icabb1bcb725937da45ae9aaef2c9da412a30a319
We are seeing issues with hanging git connections discussed in [1].
It is suggested to upgrade to gitea 1.9.6; do that.
[1] https://github.com/go-gitea/gitea/issues/9006
Change-Id: Ibbbe73b5487d3d01a8d7ba23ecca16c2264973ca
This is the first step in managing the opendev.org cert with LE. We
modify gitea01.opendev.org only to request the cert so that if this
breaks the other 7 giteas can continue to serve opendev.org. When we are
happy with the results we can merge the followup change to update the
other 7 giteas.
Depends-On: https://review.opendev.org/694182
Change-Id: I9587b8c2896975aa0148cc3d9b37f325a0be8970
The homepage mentions a lot of technologies that OpenDev use, but
doesn't link to any of the running instances. This commit
adds links to review.opendev.org, etherpad.openstack.org and
the configuration for the opendev homepage itself, so that
it's easier to find things and to experience the technologies
it refers to.
Change-Id: Ia041ebbc558539955238bb4fdb4da868bf6f1dd8
When apache2 gets reloaded multiple times in quick succession, it may
crash and fail completely. Lately this has been seen very often on our
ask.openstack.org instance, so let us use the more intrusive, but also
hopefully more stable in the end result method of restarting instead.
Change-Id: I44e4561f8696415471f65b75d683c48636fb413f
I'm bad at Gitea templates, so the recently-introduced "proposed
changes" tab is active-selected (while it should never be) and the link
is missing the repository name.
This should fix it...
Change-Id: I02adc8ebd012adc233a37223480d14517c7f3c98
Gitea is quickly becoming the public face of Opendev, however it can
be difficult for visitors to understand how to propose changes (or
access already-proposed changes), and then assume everything on opendev
is read-only (which is the exact opposite of what we want to convey).
In the spirit of further integrating Opendev tooling, add a link to
on every repository to open proposed changes on Gerrit.
NB: the link is not I18n-ilized since there is no simple way to add a
new string there, and I did not want to use teh "Pull requests"
terminology.
Change-Id: I851a1e7d25556194947198a8f5534542d167c7f8
