The Ariship, StarlingX and Zuul git sites "hide" the namespaces of
their repositories, so need additional rewriting to readd them when
redirecting to the OpenDev Gitea service. In an effort to avoid
rewrite loops, pattern match them on specific repository name
prefixes so they won't match the namespaces being inserted.
Change-Id: I0a19393147eca5d75b286dfb8bda5665f31a2a2b
Task: #29705
The ansible-role-puppet role manages puppet.conf for us. These two roles
are currently fighting each other over the presence of the server line
in puppet.conf. Avoid this by removing the removal of this line and the
templatedir line from the new puppet-install role since
ansible-role-puppet was there first. Basically just trust
ansible-role-puppet to write a working puppet.conf for us.
Change-Id: Ifb1dff31a61071bd867d3a7cc3cbcc496177e3ce
This created confusion when updating configs to handle journald. Remove
the unused files and update docs to point at the proper config location.
Change-Id: Ifd8d8868b124b72a86cf7b5acb30480e72b903ed
This is an initial change for deploying letsencrypt certificates on
graphite01.opendev.org. As we are still in a testing phase, use test
mode.
Change-Id: I3e762d071cc609856950898b36f1903fe52840a6
This enables automatic reload of the replication configuration for
review-dev.
Depends-On: https://review.openstack.org/650049
Change-Id: I3be630339870d527bedcfbd84b8dc8084dc10f4b
This change contains the roles and testing for deploying certificates
on hosts using letsencrypt with domain authentication.
From a top level, the process is implemented in the roles as follows:
1) letsencrypt-acme-sh-install
This role installs the acme.sh tool on hosts in the letsencrypt
group, along with a small custom driver script to help parse output
that is used by later roles.
2) letsencrypt-request-certs
This role runs on each host, and reads a host variable describing
the certificates required. It uses the acme.sh tool (via the
driver) to request the certificates from letsencrypt. It populates
a global Ansible variable with the authentication TXT records
required.
If the certificate exists on the host and is not within the renewal
period, it should do nothing.
3) letsencrypt-install-txt-record
This role runs on the adns server. It installs the TXT records
generated in step 2 to the acme.opendev.org domain and then
refreshes the server. Hosts wanting certificates will have
pre-provisioned CNAME records for _acme-challenge.host.opendev.org
pointing to acme.opendev.org.
4) letsencrypt-create-certs
This role runs on each host, reading the same variable as in step
2. However this time the acme.sh tool is run to authenticate and
create the certificates, which should now work correctly via the
TXT records from step 3. After this, the host will have the
full certificate material.
Testing is added via testinfra. For testing purposes requests are
made to the staging letsencrypt servers and a self-signed certificate
is provisioned in step 4 (as the authentication is not available
during CI). We test that the DNS TXT records are created locally on
the CI adns server, however.
Related-Spec: https://review.openstack.org/587283
Change-Id: I1f66da614751a29cc565b37cdc9ff34d70fdfd3f
The zonefile isn't required in the config file as we are just
transfering from adns1. Since we don't create the directory for the
files, it results in warnings in the nsd logs -- this can be a
confusing red-herring in a debugging situation.
Change-Id: I3e16a359549707a4a3967f580161dec9e71ab689
Related-Bug: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4244
Change I754637115f8c7469efbc1856e88bbcb6fb83b4ce moved a bunch of log
collection to use "stage-output". This uses "fetch-output" which
automatically puts these logs in hostname subdirectories; but it does
not have an option to put it in hosts/hostname as we were doing with
the other logs.
Although we could add such support, it probably doesn't make sense as
most other multinode jobs will have the same layout with the host logs
at the top level. Remove the intermediate "/hosts/" directory on
system-config jobs so all logs remain at the top level, and we don't
have this confusing split as to where logs are for each host.
Change-Id: I56bd67c659ffb26a460d9406f6f090d431c8aa79
We mainly focus on opensuse leap, so having those
mirrors up to date is more important than tumbleweed.
We need to avoid tumbleweed blocking the rest of the
sync, so we are permissive with errors there for now.
Change-Id: If15b0f65d7f4a470d9274be41b3d921d7709f19a
We have hosts with an extra volume mounted to e.g. /opt, we want to
monitor disk space for those volumes, too.
For reference, this is how a sample list of hrStorageDescr looks like
before filtering:
$ php -q add_graphs.php --host-id=$HOST_ID --list-snmp-values
--snmp-field=hrStorageDescr
Known values for hrStorageDescr for host 350: (name)
/
/dev/shm
/opt
/opt/dib_tmp/dib_build.yFIsY6K6/mnt/tmp/yum
/run
/run/lock
/run/user/0
/sys/fs/cgroup
Cached memory
Memory buffers
Physical memory
Shared memory
Swap space
Virtual memory
Change-Id: Ia75448f68a0cee50a3a164a483869ab526bb8ad7
This is a follow-on to I39cb9dc0aa52cf5b20545baf4acacc21c5459f2a; as
buster has no backports we need to skip this in the reprepro
configuration. It's a bit hacky, but we can revert when it is
available.
Change-Id: I60e231f23999d0af9c899a30822c71702befb2bd
A long time ago, we created repos on the git farm for the use of
Zuul. We put those in /var/lib/git/zuul. They were not added
to the cgit index, so were generally not visible.
E.g., /var/lib/git/zuul/openstack/nova.git
We no longer use them, and we now want to create repos in the
zuul namespace, E.g., /var/lib/git/zuul/project-config.git.
Therefore we need to tell jeepyb to stop creating repos in the
zuul directory and additionally manually remove the repos from
the git servers.
Change-Id: Ibb72bc5e8a21195e829f55c5bea242ca69c6fceb
for Train+ openSUSE is no longer focusing on Leap 42.3 anymore,
so we shouldn't try to mirror it going forward. In order
to make this more flexible we need to break out the loop because
in general not all combinations of Base OS and OpenStack
release might be available.
Change-Id: If0a783d85ce292772b845dfc6bdf55abafb56cb9
This adds the concept of an unmanaged domain; for unmanaged domains we
will write out the zone file only if it doesn't already exist.
acme.opendev.org is added as an unmanaged domain. It will be managed
by other ansible roles which add TXT records for ACME authentication.
The initial template comes from the dependent change, and this ensures
the bind configuration is always valid.
For flexibility and testing purposes, we allow passing an extra
refspec and version to the git checkout. This is one way to pull in
changes for speculative CI runs (I looked into having the hosts under
test checkout from Zuul; but by the time we're 3-ansible call's deep
on the DNS hosts-under-test it's a real pain. For the amount of times
we update this, it's easier to just allow a speculative change that
can take a gerrit URL; for an example see [1])
[1] https://review.openstack.org/#/c/641155/10/playbooks/group_vars/dns.yaml
Testing is enhanced to check for zone files and correct configuration
stanzas.
Depends-On: https://review.openstack.org/641154
Depends-On: https://review.openstack.org/641168
Change-Id: I9ef5cfc850c3458c63aff46cfaa0d49a5d194e87
Although we only have adns01, for testing purposes it would be handy
to have another adns server in testinfra (this way, we can write tests
for letsencrypt paths that don't try and execute on the existing dns
testing paths).
Change-Id: Ie1968660c110bdb626df637f182f1f39598e59ac
This allows the zones to load, which is useful in follow-on changes
where we can query them on the host from testinfra to make sure it's
all working.
Change-Id: I9d22c07ce2d1ebad67b0f1ca222c1b457779ce47
For our git redirect virtualhosts, allow the full set of mod_rewrite
directives. These are entirely under our static control, so should
be safe.
Change-Id: Ia9c12ccc42ea157ebc4e3060841f1ab2d13008a3
