This container installs Limnoria, the supybot replacement as the
generic ircbot container. We install meetbot plugin as a sibling
project.
Previously we've conflated supybot with meetbot, which is a bit
confusing because meetbot is a plugin, but we also use other plugins
such as the channel logger. We also hope to convert some of our other
bots to Limnoria (ptgbot?) to consolidate everything. For this reason
I've called this the more generic "ircbot". The image installs
meetbot as a sibling project, with the idea being any other plugins
would also be installed as siblings.
The siblings install expects the work directory to be a relative
directory. I'm not sure we run this from other projects, but this
will work the same if we do.
Depends-On: https://review.opendev.org/c/opendev/meetbot/+/793876
Change-Id: Icee4c6bbb5ea235ba69c10f800a14bbf5beef3d5
A number of changes are needed to fit accessbot to OFTC's RBAC-style
permissions model and services syntax expectations. Most
importantly, access list entries now use role names for graduated
access tiers (member, chanop, master) rather than fine-grained
option flags. In order to avoid future confusion, switch variable
names and configuration keys to reflect that these are access levels
rather than masks.
While we're at it, skip setting the channel mlock if the result
would be a no-op, so that we don't unnecessarily spam the ircd with
pointless writes.
Also add a bunch of inline comments so I can more easily remember
the subtle nuances I spent a lot of time figuring out.
Change-Id: Id11598fc42672359e1abef7b70cc23100b16ab12
Depends-on: https://review.opendev.org/792843
It seems I added this --force with the original commit
(I4943ae723b06b0ad808e7c7f20788109e21aa8bf) but I'm not really sure
why. If we have built any siblings their wheels should have higher
version numbers (e.g. like pbr versioning with a "dev" on it).
Thus we shouldn't need to force the wheels to be installed. The
--force here causes a lot of uninstalls that take up quite a bit of
time, especialy under emulation.
Change-Id: I88b824058dc1cee90bfe4c8c4fd43a86472bc478
Because Id68080575a30e4a08c99df0af603fbb65a0983bd didn't touch any of
the docker files (but just added new 3.9 builds) they didn't get
promoted. Update timestamp to trigger this.
Change-Id: I6bf33936d4da773329900a2a52d09654087313d4
Upstream change has merged that makes a REST endpoint that
enables/disables the Zuul Summary tab on a per-project basis in
results. It defaults to enabled.
This happens via a .jar which is now copied in during the build.
Change-Id: If50f0fa3c5fb116bd0a5a78694de1e7067aa7f11
Depends-On: https://gerrit-review.googlesource.com/c/plugins/zuul-results-summary/+/298465/
This appears to be a small update of bugfixes. The templates we have
modified in our images have not changed between v1.13.6 and v1.13.7
according to git diff in the go-gitea/gitea repo.
Change-Id: I28a2411e107786c7ff96bd7240f3d15190a88f9e
This picks up a variety of bug fixes and ensures we're keeping up.
The diff of the template files we modify between gitea v1.13.1, v1.13.4,
and v1.13.6 is empty. The diff between our modifications at v1.13.4
looks about how I would expect (implying that v1.13.6 is also fine).
Reviews should double check though.
We also add in setup for the system-config repo on the test gitea as
this will give us something to look at for verification purposes.
Change-Id: Idb3568a9d287a2d46d568ab7d8d3a7108739d23e
This adds a program, zookeeper-statsd, which monitors zookeeper
metrics and reports them to statsd. It also adds a container to
run that program. And it runs the container on each of the
ZooKeeper quorum members. And it updates the graphite host to
allow statsd traffic from quorum members. And it updates the
4-letter-word whitelist to allow the mntr command (which is used
to gather metrics) to be issued.
Change-Id: I298f0b13a05cc615d8496edd4622438507fc5423
This has our change to open etherpad on join, so we should no longer need
to run a fork of the web server. Switch to the upstream container image
and stop building our own.
Change-Id: I3e8da211c78b6486a3dcbd362ae7eb03cc9f5a48
This change adds comments to the python-base and python-builder
dockerfiles to force a rebuild of these images. We do this periodically
to pull in updates.
Change-Id: I109a46603a74a376cc36fdfbd35734f6dc835abe
This includes a fix for I216528a76307189d8d87bd2fcfeff95c6ceb53cc.
Now it's released we can be a bit more explicit about why we added the
workaround.
Change-Id: Ibaf1850549b5e7ec3622418b650bc5e59a289ab6
This is a private list to contact administrators that is suitable
for raising security concerns. I've stolen the wording from Ian's
similar I886f67d875abd09753511f6c33312cfc5eb62933 docs change.
Change-Id: I7eb094d9fc75494ab33e0b9133fb451724f96dad
Co-Authored-By: Ian Wienand <iwienand@redhat.com>
Ib7e7d7313e0827a40009df840119444611d74ca2 did not match the promote
job file filter, so the image wasn't promoted. Bump to create a new
image build.
Change-Id: I31e8368ec309e62a9cf3607acfd5157aa5b6c61e
This adds a dockerfile to build an opendevorg/refstack image as well as
the jobs to build and publish it.
Change-Id: Icade6c713fa9bf6ab508fd4d8d65debada2ddb30
We modify the x/ route to ensure we can serve git repos from x/.
Previously we had been using sed which is likely to be much more fragile
than patch. Patch will detect conflicts and other errors which would be
good for us to find out about early.
Change-Id: Ic324c7777e7851a6150e4415338c4628ac710970
This installs the zuul-summary-results plugin into our gerrit
container. testinfra is updated to take a screenshot of the plugin in
action.
Change-Id: Ie0a165cc6ffc765c03457691901a1dd41ce99d5a
bazel likes to build everything in ~/.cache and then symlink bazel-*
"convience symlinks" in the workspace/build directory. This causes a
problem for building docker images where we run in the context of the
build directory; docker will not follow the symlinks out of build
directory.
Currently the bazelisk-build copies parts of the build to the
top-level; this means the bazelisk-build role is gerrit specific,
rather than generic as the name implies.
We modify the gerrit build step to break build output symlink and move
it into the top level of the build tree, which is the context the
docker build runs in later. Since this is now just a normal
directory, we can copy from it at will there.
This is useful in follow-on builds where we want to start copying more
than just the release.war file from the build tree, e.g. polygerrit
plugin output.
While we're here, remove the javamelody things that were only for 2.X
series gerrit, which we don't build any more.
[1] https://docs.bazel.build/versions/master/output_directories.html
Change-Id: I00abe437925d805bd88824d653eec38fa95e4fcd
Specify bazelisk_targets as a list, and join the targets as
space-separated in the build command. This is used in the follow-on
Ie0a165cc6ffc765c03457691901a1dd41ce99d5a.
While we are here, remove the build-gerrit.sh script that isn't used
any more, along with the step that installs it.
Also, refactor the tasks to use include_role (this is also used in the
follow on).
Change-Id: I4f3908e75cbbb7673135a2717f9e51f099a4860e
This change represents a number of edits originally suggested in
review comments on Idaefb41590df24e649a4fd5225cc1078f2903696 as well
as a general re-edit of some of the sections for improved accuracy
and flow.
Change-Id: I2806e8099f44c43c161cac51872a712e8ee128e8
This bumps our golang image up to buster-1.15 from buster-1.14 as gitea
bumps their minimum to 1.13 and I figure we should keep up to date.
The templates are updated to accomodate the new gitea templates. Primary
changes here are removal of icon sizes when specified and using imported
templates to simplify bits of code we weren't changing anyway.
We install openssh-server from buster-backports on our gitea-ssh image.
The reason for this is we pull in gitea's sshd_config from gitea itself
and the updated gitea wants to set options that older openssh in buster
proper doesn't support. Accomodate this with the newer openssh found in
backports.
We add a new favicon.svg to override the new default gitea svg favicon
which is served otherwise.
One other thing to call out is that gitea 1.13.0 added support for
kanban and similar project management tooling. We have explicitly
disabled this along with the wiki, issues and pull requests via
app.ini's repository.DISABLE_REPO_UNITS setting. You can find out more
about this setting here:
https://docs.gitea.io/en-us/config-cheat-sheet/#repository-repository
Change-Id: I4c483f90c7495ee1f80eacd2c79c38836aa6f483
This provides an HTML-only PolyGerrit plugin consistent with our
Gitea theming, generously provided by Paladox (many thanks!).
Since we have to split some roles in the build playbook, also name
the temporary patching role to make the build console a little
easier to read.
Change-Id: I3baf17d04b2dca34fc23dcab91c00544cedf0ca6
Gerrit 3.2 supports java 11 now and Gerrit 3.3 will be the last to
support java 8. Lets get ahead of things and switch to java 11.
Change-Id: I1b2f6b1bdadad10917ef5c56ce77f7d7cfc8625d
The previous change built new images but didn't promote them because we
only modified the jobs. This change modifies the dockerfiel to ensure
the promote jobs also run.
Change-Id: I25722e64e7a36d396e217b9de14bd4b202ed95c8
Having upgraded to 3.2, we don't need these versions any more.
Change-Id: Ifc37a75aa62b2498e649a4c81b589a04c794184a
Depends-On: https://review.opendev.org/763617
The hound project has undergone a small re-birth and moved to
https://github.com/hound-search/hound
which has broken our deployment. We've talked about leaving
codesearch up to gitea, but it's not quite there yet. There seems to
be no point working on the puppet now.
This builds a container than runs houndd. It's an opendev specific
container; the config is pulled from project-config directly.
There's some custom scripts that drive things. Some points for
reviewers:
- update-hound-config.sh uses "create-hound-config" (which is in
jeepyb for historical reasons) to generate the config file. It
grabs the latest projects.yaml from project-config and exits with a
return code to indicate if things changed.
- when the container starts, it runs update-hound-config.sh to
populate the initial config. There is a testing environment flag
and small config so it doesn't have to clone the entire opendev for
functional testing.
- it runs under supervisord so we can restart the daemon when
projects are updated. Unlike earlier versions that didn't start
listening till indexing was done, this version now puts up a "Hound
is not ready yet" message when while it is working; so we can drop
all the magic we were doing to probe if hound is listening via
netstat and making Apache redirect to a status page.
- resync-hound.sh is run from an external cron job daily, and does
this update and restart check. Since it only reloads if changes
are made, this should be relatively rare anyway.
- There is a PR to monitor the config file
(https://github.com/hound-search/hound/pull/357) which would mean
the restart is unnecessary. This would be good in the near and we
could remove the cron job.
- playbooks/roles/codesearch is unexciting and deploys the container,
certificates and an apache proxy back to localhost:6080 where hound
is listening.
I've combined removal of the old puppet bits here as the "-codesearch"
namespace was already being used.
Change-Id: I8c773b5ea6b87e8f7dfd8db2556626f7b2500473
This change modifies the Dockerfile to ensure the promote job runs.
It also updates the branches used to build against to pull recent
security updates which don't seem to hvae made it to the proper stable
branches yet.
Change-Id: I2cc9a67515ffdf256fccf5771cf4cf327ed9dbd5
The current base image contains a few CVE's which are fixed:
- CVE-2020-12723
- CVE-2020-10878
- CVE-2020-10543
This rebuild should allow us to get them in, as they are included by
perl 5.28.1-6+deb10u1.
Change-Id: I34cdc1147b0fa74083517478db26e9fb0d4d16cd
