Create a mailing list for private coordination of security incidents
for the OpenDev Collaboratory. The intent is that this can be used
to share sensitive information between sysadmins and council members
in the event of any suspected breach. For the sake of transparency,
all information discussed on this list which can safely be made
public should also be communicated to the service-announce or
service-discuss mailing lists at the earliest opportunity.
Change-Id: I32bef68eb7019261471c167d19eee733457078a2
Virtual summit fun! We need more capacity for openstackid. smarcet says
there isn't really any shared state so this hsould be safe then we can
sort out a load balancer.
Change-Id: I2a7d62bc980a797f7c45d119a5398925f5607df0
We're using logrotate to keep a small number of db backups locally. We
write these backups to disk compressed. We don't want logrotate to
recompress them. This is unnecessary extra work.
Change-Id: Iafe1628ff421f47cf3e5cbee14998eeceb60be4c
Docker has long planned to turn this off and it appears that they have
done so. Planning details can be found at:
https://www.docker.com/blog/registry-v1-api-deprecation/
Removing this simplifies our configs as well as testing. Do this as part
of good hygiene.
Change-Id: I11281167a87ba30b4ebaa88792032aec1af046c1
We can rely on Require instead of Order, Allow, Deny, Satisfy since we
are all on apache 2.4 now. This simplifies reasoning about acl rules.
Change-Id: Idedba1558ccaa1c753d1175e356bf26a8d4b1084
The user agent filter has been turned into a reusable Ansible role
containing a macro definition. Add that role and replace the
hard-coded copy of the user agent filter here with that
UserAgentFilter macro.
Change-Id: Ic24a38c93f0f68fab9ef1168de91ffad477fe13c
A copy of the filter used for our Gitea farm, this same activity has
been showing up on our tarballs.opendev.org site as well which is
consuming available connection slots for all vhosts on the static
server.
This is implemented as a macro so that it can be included into
additional vhosts, and put into a separate role so that it can be
added to all playbooks which need it. A subsequent change will add
it to the Gitea servers, eliminating the redundant copy there.
Change-Id: Ic2020b753076209f7708f76744fdf746bf933bd9
We don't need to keep using the old Apache 2.2 Satisfy ACL primitive
because we are now running Apache 2.4 everywhere. Stick to Require
as it simplifies understanding of ACLs by being consistent.
Change-Id: Ib2f7ea1909b9798279efc77a42b632e7129bd1d0
added new search criteria for endpoint
GET /api/v1/users
primary_email (==,@=)
Change-Id: Ib643a8c1ba4e79444463777197fc86a64a1912be
Signed-off-by: smarcet <smarcet@gmail.com>
We found a couple of projects that were initially moved under "x/" but
then moved back under "openstack/" later. The original scripts didn't
take this into account (I5bf2ddf09b3df71a3428a8a0c535b131ecbc0bca has
been updated to note this).
The affected projects have been moved back manually on AFS, and this
corrects the website redirects.
Change-Id: I59ba05923ec5aa1ca8fed337b6384064b3038836
The existing filtered UAs seem to catch the bulk of the traffic but
there are a few common ones that are still sneaking through. Add four
new rules for these cases.
All three are MSIE variants from version 6 to 9. All old enough that we
should be able to do this safely without impacting real users.
Change-Id: I8ae59f38de8b30bd06e1643ddbccf81ea32858aa
We seem to be under a similar attack to last time. The new apache filter
in front of gitea was implemented to be used if this happened again.
Switch to it.
Change-Id: Ib9ed3029dad7fc26cca209fece547a2a94d8da4a
When moving unofficial repositories out of the openstack git
namespace, compute-hyperv was included because it was not under the
governance of any official team or SIG. Later the OpenStack
Winstackers team adopted it and we moved it back into the openstack
git namespace.
More recently, when moving and redirecting tarballs site
content/URLs based on the original git namespace moves, we failed to
take into account that this project had moved back into the
openstack git namespace. Undo the redirect, and then the old
tarballs will be moved manually to match.
Change-Id: I208d3196ac38ccfbad6269a75848339c95e08c2b
Since we haven't used this anywhere yet, let's start with the latest
version.
Fix role matching for job too.
Change-Id: I22620fc7ade8fbdb664100ef6b6ab98c93d6104f
We've disabled access to the local gerrit git mirrors at the /p/ prefix
previously as newer gerrit uses that path for something else. The next
step is to stop replicating to that location entirely.
Another reason for this is when we switch to notedb this local
replication will replicate everything then if we expose it we'd
potentially expose content we don't want to via git (rather than the
gerrit APIs).
Change-Id: I795466af3e1608eefe506ca56828327491f73c27
The title.svg logo for opendev and two jquery js files are no longer
managed by ansible nor do they appear to be in our docker image. They
appear to have been lost when we converted from puppet to ansible +
docker. Add them back in. We are also missing the icla html content (but
not the other clas) add this one back in.
We vendor the js contents even though in the past we copied them from a
git repo clone and a distro package installation. This way we don't have
unexpected surprises, record that the files are used, and can always
update them later.
Change-Id: I981b4b0f233ece45d03a80dc1724a4e496f66eb8
To catch up -- because this work is moving slowly ... the two backup
servers are currently the vexxhost and RAX ORD hosts. The vexxhost
node is deployed with Ansible on Bionic, but the old ORD host still
needs to be upgraded and moved out of puppet. Instead of dealing with
the unmaintained bup and getting it to work on the current LTS Focal,
we are doing an initial borg deployment with plans to switch to it
globally.
This adds the backup02.ca-ymq-1.vexxhost.opendev.org to the inventory
and borg-backup-server group, so it will be deployed as a borg backup
server (note, no hosts are backing up to it, yet).
To avoid the original bup roles matching, we restrict the
backup-server group to backup01.ca-ymq-1.vexxhost.opendev.org
explicitly.
Change-Id: Id30a2ffad75236fc23ed51b2c67d0028da988de5
This will allow us to test further gerrit upgrades while we sort out how
far into the gerrit releases we will be upgrading to on our next
upgrade.
Change-Id: Ic9d07b76e41ad4262cc0e2e1ff8a5d554f88239e
This matches the file, which got lost in my original script because I
didn't quote a $. Also add some quotes for better grouping.
Change-Id: I335e89616f093bdd2f0599b1ea1125ec642515ba
There appears to be a gitea bug that causes PATCH updates to projects to
fail when the cache is in a bad state for that project. We use PATCH
updates to a project to set the project descriptions. Since project
descriptions are not critical to gitea functionality (we weren't
updating them until last week) we can treat this as best effort and
ignore these failures.
We'll log these cases to aid in further debugging but continue on. The
next pass can retry.
Change-Id: I625bdc0856caaccb6b55931b0cdc6cf11a0bf3e1
Gitea has added a STACKTRACE_LEVEL config option to set which log level
will also generate stack traces when logging. We want them for at least
Error and above so set this to Error for now. In particular there seems
to be a commit cache issue which results in errors that having stack
traces for would be helpful to debug.
Change-Id: I0491373ef143dfa753c011d02e3c670c699d2a52
