This provisions the cert but doesn't switch apache to it. When we are
happy with the new cert we can land the child change which will flip
apache over to the new cert.
Change-Id: I9cffd26a51317ea569b078b89cc30dc34c7e7747
Once we are happy with the ethercalc LE cert we can land this change to
update the apache config to use the LE cert.
Change-Id: Ic35031fb03c928ba4089f292c4d714d4844f29fe
This runs the LE ansible alongside the ethercalc puppetry to get an LE
cert provision for this service. Once we are happy with the new cert we
can land the followup change to switch to the LE cert.
Note we don't add an altname for the host because that will require
extra DNS records in rax DNS.
Change-Id: I04c062eb994f672283aa30ffcc0c4d45fc8c50f6
We are using synchronize to copy the openstack mailman templates which
preserved the ownership and group and permissions of the source files on
bridge. This isn't a major problem but it is ugly so we fix it.
To fix it we set rsync_opts for synchronize to set a usermap and a
groupmap to map the bridge info to the data we want on the remote.
Change-Id: I209345cbe9e27beb18d1ba31e6715bf850bc022b
We have shifted over to using ansible for managing the listservs.
This also updates our service docs to point at the corret ansible and
not puppet.
Change-Id: I76f01ff1479c5af0a502a060aac2baa1ab622b21
The usptream haproxy image switched to running as a user, rather than
as root. This means it can not bind to 80/443 and instantly dies.
I've added a comment with some discussion, but for now, use the root
user.
[1] 82ff028a25
Change-Id: Ic9b04cdd09f73d9df015bcb173871cff1ae58835
The haproxy 2.4 images aren't working for us, docker-compose
perpetually reports the container in a "restarting" state. Pin back
from latest to 2.3 until we can sort out what needs to change in how
we integrate this on the server.
Change-Id: I01ae11a31eb8eaeb9e570692d5ec268395f69a97
We just discovered that a number of new servers have rather small swap
sizes. It appears this snuck in via change 782898 which tries to bound
the max swap size to 8GB. Unfortunately the input to parted expects MB
so we make a swap size of 8MB instead of 8GB.
Bump the min value to 8192 to fix this.
Change-Id: I76b5b7dd8ac76c2ecbab9064bcdf956394b3a770
We run these ansible jobs serially which means we don't gain much by
forcing ansible to use a small number of forks. Double the default for
our infra prod job fork count from 5 to 10 to see if this speeds up our
deploy jobs.
Note some jobs override this value to either add more forks or fewer
when necessary. These are left as is.
Change-Id: I6fded724cb9c8654153bcc5937eae7203326076e
This removes the kata-containers tenant backup entry as that tenant no
longer exists. We also add status json backups for the opendev,
vexxhost, zuul, pyca, and pypa tenants. This gets us in sync with the
current tenant list.
Change-Id: I8527676dda67915e6ebe0d1c5fde7a57a7ac2e5b
This fixes the zuul debug log's logrotate filename. We also increase the
rotation count to 30 daily logs for all zuul scheduler zuul processes
(this matches the old server).
We also create a /var/lib/zuul/backup dir so that status.json backups
have a location they can write to. We do this in the base zuul role
which means all zuul servers will get this dir. It doesn't currently
conflict with any of the cluster members' /var/lib/zuul contents so
should be fine.
Change-Id: I4709e3c7e542781a65ae24c1f05a32444026fd26
This cleans up zuul01 as it should no longer be used at this point. We
also make the inventory groups a bit more clear that all zuul servers
are under the opendev.org domain now.
Depends-On: https://review.opendev.org/c/opendev/zone-opendev.org/+/790483
Change-Id: I7885fe60028fbd87688f3ae920a24bce4d1a3acd
This zuul02 instance will replace zuul01. There are a few items to
coordinate when doing an actual switch so we haven't removed zuul01 from
inventory here. In particular we need to update gearman server config
values in the zuul cluster and we need to save queues, shutdown zuul01,
then start zuul02's scheduler and restore queues there.
I believe landing this change is safe as we don't appear to start zuul
on new instances by default. Reviewers should double check this.
Depends-On: https://review.opendev.org/c/opendev/zone-opendev.org/+/791039
Change-Id: I524b456e494124d8293fbe8e1468de40f3800772
This job is not added in the parent so that we can manually run
playbooks after the parent lands. Once we are happy with the results
from the new service-lists.yaml playbook we can land this change and
have zuul automatically apply it when necessary.
Change-Id: I38de8b98af9fb08fa5b9b8849d65470cbd7b3fdc
This converts our existing puppeted mailman configuration into a set of
ansible roles and a new playbook. We don't try to do anything new and
instead do our best to map from puppet to ansible as closely as
possible. This helps reduce churn and will help us find problems more
quickly if they happen.
Followups will further cleanup the puppetry.
Change-Id: If8cdb1164c9000438d1977d8965a92ca8eebe4df
After the latest Bazel upgrade, the --spawn_strategy=standalone
doesn't show the output of the subprocess created, making the
troubleshoot of the failures impossible.
Since release 0.27 Bazel auto detects the execution strategy, if no
strategy flag is provided. If none of the strategy flags was used,
Bazel will generate a default list of strategies (in this order):
remote,worker,sandboxed,local
and, for every action it wants to execute, will pick up the first
strategy that can execute it.
See this blog entry for more details: [1].
[1] https://blog.bazel.build/2019/06/19/list-strategy.html
Change-Id: I4be8375cee88f3565bae5c53cd1a3484ce398aba
These files are involved in creating gerrit docker images; make sure
we trigger jobs when they are modified.
Change-Id: I7c4436e066cfb0c2d0b2ca7adf54c99b09dac95f
It seems we have some debugging to do on the openafs roles. The other
roles here, particularly the bazelisk one, aren't tested here, so
reduce the file matcher.
We can overhaul this more, but it seems like a post-puppet/xenial
thing to do.
Change-Id: I0a41ef48eab0560a23a4e29463435dfe0758d01e
Several of these domains have migrated to be deployed via our
letsencrypt roles and thus no-longer need special casing in the
certcheck list as they are automatically added now.
Change-Id: Id417db6af09f3ba96bb6da09d8cbf28dd8ddf276
Because Id68080575a30e4a08c99df0af603fbb65a0983bd didn't touch any of
the docker files (but just added new 3.9 builds) they didn't get
promoted. Update timestamp to trigger this.
Change-Id: I6bf33936d4da773329900a2a52d09654087313d4
This migrated to Ansible with
Idbe084f13f3684021e8efd9ac69b63fe31484606. Remove the now unused
puppet components.
Change-Id: I500d6eefcb64f4941e216b8590f4cd60ceec0811
Python 3.9 is released, so let's build containers.
This splits the docker-images/ files up as they are becoming a bit
crowded.
Change-Id: Id68080575a30e4a08c99df0af603fbb65a0983bd
