This site replaces eavesdrop.openstack.org. I think this name makes
more sense.
That is/was being published by jobs directly pushing this onto the
eavesdrop server. Instead, the publishing jobs for irc-meetings now
publish to /afs/openstack.org/project/meetings.opendev.org. This
makes the site available via the static server.
This is actually a production no-op; nothing has changed for the
current publishing. It is still todo to figure out the correct
redirects to keep things working from the existing
eavesdrop.openstack.org and stop the old publishing method.
Depends-On: https://review.opendev.org/c/opendev/zone-opendev.org/+/794085
Change-Id: Ia582c4cee1f074e78cee32626be86fd5eb1d81bd
This is Ansible-core <2.12,>2.11.0 with community collections, which
includes debug plugin callsbacks, etc.
Change-Id: I13f72fc02549a84c01b901c58d7be18992c281bd
The ara-report role used to add this but it hasn't been updated for
the latest ARA (I008b35562994f1205a4f66e53f93b9885a6b8754). Add it
back here.
Change-Id: I2d56e7cde32cd7adabb359a35ecdaa9f0880f7d5
ARA's master branch now has static site generation, so we can move
away from the stable branch and get the new reports.
In the mean time ARA upstream has moved to github, so this updates the
references for the -devel job.
Depends-On: https://review.opendev.org/c/openstack/project-config/+/793530
Change-Id: I008b35562994f1205a4f66e53f93b9885a6b8754
We're moving to OFTC and this tries to capture the various types of
updates for bots and docs we'll need to do. I don't expect this to
be complete, but adds some good reminder for a few things we don't
want to miss.
Change-Id: I09f4c7aa1a2eb8cd167439d58ab4222f5e63a4b1
Now that accessbot has been altered to work with OFTC and its
channels list adjusted accordingly, switch the server parameter in
its configuration as well. The credentials have already been updated
in our private hostvars.
Change-Id: I84a6cfbaeed785f53c6f443b949ca53ef2d2494b
When installing bots on eavesdrop with py27/py35, there is a
regression with the latest pbr release. The workaround is to
have pbr preinstalled in the pip3 role.
Change-Id: I5ea790a50e180df36b480dcbb13530a80f398b5e
This will provision LE certs for openstackid.org. If we are happy with
the results then the child change can be merged to to swap apache over
to using the new cert.
Change-Id: Icc9fdd8a39630323916d1f33d9867f93fc6f2b85
* ask.o.o has been converted to LE
* ethercalc.o.o has been converted to LE
* storyboard.o.o has been converted to LE
* translate.o.o has been converted to LE
* openstackid-dev.o.o is fine without a valid cert
Change-Id: Ic7639f0e62d5269e35a5d909d67318cd74d0233e
We have decided to decommision the ask.openstack.org server as it is
running EOL Xenial, and its manually purchased certiface is about to
expire. Although it has been deprecated for some time, we feel like
it has been around long-enough as a resource that it is best if we
replace it with a place-holder. The links included here are the same
as the currently shown header explaining the site is read-only.
There's nowhere particularly relevant to redirect the site, so we add
a static file here, and some minimal Ansible to put it in the right
place in a generic way in-case we want to do the same for another
service.
Change-Id: I8a31f8fcf9b3064c0ae58e463a6014dc14b518a7
This provisions the cert then when we are happy with the results we can
land the child change to swap the cert over in apache.
Change-Id: Id8e66102cf26a3b9819d4638b7589f44f6400634
This provisions the cert but doesn't switch apache to it. When we are
happy with the new cert we can land the child change which will flip
apache over to the new cert.
Change-Id: I9cffd26a51317ea569b078b89cc30dc34c7e7747
This runs the LE ansible alongside the ethercalc puppetry to get an LE
cert provision for this service. Once we are happy with the new cert we
can land the followup change to switch to the LE cert.
Note we don't add an altname for the host because that will require
extra DNS records in rax DNS.
Change-Id: I04c062eb994f672283aa30ffcc0c4d45fc8c50f6
We're trying to phase out the ELK systems. While we have agreed to not
immediately turn anything off we probably don't need to keep running the
system-config-legacy-logstash-filters job as ELK should remain fairly
fixed unless someone rewrites config management for it and modernizes
it. And if that happens they will want new modern testing too.
Depends-On: https://review.opendev.org/c/openstack/project-config/+/792710
Change-Id: I9ac6f12ec3245e3c1be0471d5ed17caec976334f
We are using synchronize to copy the openstack mailman templates which
preserved the ownership and group and permissions of the source files on
bridge. This isn't a major problem but it is ugly so we fix it.
To fix it we set rsync_opts for synchronize to set a usermap and a
groupmap to map the bridge info to the data we want on the remote.
Change-Id: I209345cbe9e27beb18d1ba31e6715bf850bc022b
Gerrit's bazel rules are looking for python which doesn't exist on our
images. Add a python symlink to python3 until
https://gerrit-review.googlesource.com/c/gerrit/+/298903 is in a release,
which seems likely to be 3.5.
Change-Id: I1c15cceac1c9bbf435ed23bed7c1e3fe868f05ff
The usptream haproxy image switched to running as a user, rather than
as root. This means it can not bind to 80/443 and instantly dies.
I've added a comment with some discussion, but for now, use the root
user.
[1] 82ff028a25
Change-Id: Ic9b04cdd09f73d9df015bcb173871cff1ae58835
The haproxy 2.4 images aren't working for us, docker-compose
perpetually reports the container in a "restarting" state. Pin back
from latest to 2.3 until we can sort out what needs to change in how
we integrate this on the server.
Change-Id: I01ae11a31eb8eaeb9e570692d5ec268395f69a97
This removes the kata-containers tenant backup entry as that tenant no
longer exists. We also add status json backups for the opendev,
vexxhost, zuul, pyca, and pypa tenants. This gets us in sync with the
current tenant list.
Change-Id: I8527676dda67915e6ebe0d1c5fde7a57a7ac2e5b
This fixes the zuul debug log's logrotate filename. We also increase the
rotation count to 30 daily logs for all zuul scheduler zuul processes
(this matches the old server).
We also create a /var/lib/zuul/backup dir so that status.json backups
have a location they can write to. We do this in the base zuul role
which means all zuul servers will get this dir. It doesn't currently
conflict with any of the cluster members' /var/lib/zuul contents so
should be fine.
Change-Id: I4709e3c7e542781a65ae24c1f05a32444026fd26
This cleans up zuul01 as it should no longer be used at this point. We
also make the inventory groups a bit more clear that all zuul servers
are under the opendev.org domain now.
Depends-On: https://review.opendev.org/c/opendev/zone-opendev.org/+/790483
Change-Id: I7885fe60028fbd87688f3ae920a24bce4d1a3acd
This zuul02 instance will replace zuul01. There are a few items to
coordinate when doing an actual switch so we haven't removed zuul01 from
inventory here. In particular we need to update gearman server config
values in the zuul cluster and we need to save queues, shutdown zuul01,
then start zuul02's scheduler and restore queues there.
I believe landing this change is safe as we don't appear to start zuul
on new instances by default. Reviewers should double check this.
Depends-On: https://review.opendev.org/c/opendev/zone-opendev.org/+/791039
Change-Id: I524b456e494124d8293fbe8e1468de40f3800772
This converts our existing puppeted mailman configuration into a set of
ansible roles and a new playbook. We don't try to do anything new and
instead do our best to map from puppet to ansible as closely as
possible. This helps reduce churn and will help us find problems more
quickly if they happen.
Followups will further cleanup the puppetry.
Change-Id: If8cdb1164c9000438d1977d8965a92ca8eebe4df
Several of these domains have migrated to be deployed via our
letsencrypt roles and thus no-longer need special casing in the
certcheck list as they are automatically added now.
Change-Id: Id417db6af09f3ba96bb6da09d8cbf28dd8ddf276
This will run the ua tool to attach an UA token and to enable the
esm-infra repos. We also update unattended upgrades to auto pull
security updates from the ESM repos.
Change-Id: Ifb487d12df7b799d5fd2973d56741e0757bc4d4f
With a pure javascript plugin, dropping a new file in the plugins/
directory and reloading the page is sufficient to see changes.
However, with .jar plugins (as zuul-summary-plugin now is) you need to
actually issue a reload, which requires the included permissions.
Enable it dev mode, which is where you'll very likely be trying to
iterate development with a change to a plugin. I don't think it's
really that dangerous for production, but traditionally it's been off
there so let's leave it like that.
While we're here, write out a little script to help you quickly deploy
a new .jar of the plugin when we're testing.
Change-Id: I57fa18755f8a8168da12c48f1f38d272da1c6599
The Limesurvey service hosted at survey.openstack.org was a beta
which saw limited use. The platform it runs on, Xenial, is now EOL
from Ubuntu/Canonical and in order to upgrade to a newer
distribution release we would need to rewrite all the configuration
management (the version of Puppet supported by newer Ubuntu is not
backward-compatible with what we've been running).
If a similar service becomes interesting to users of our
collaboratory in the future, it will need to be reintroduced with
freshly written configuration management anyway. The old configs and
documentation remain in our Git history should anyone wish to use
them as inspiration.
Change-Id: I59b419cf112d32f20084ab93eb6f2417a7f93fdb
We were using a loop index which meant for our cluster size of three we
would always assign server.1 through server.3. Unfortunately, as we
replace servers we may add notes with a myid value >3 which breaks when
we try to assign serverids in this way.
Fix it by using the calculation for myid in the peer listing.
Change-Id: Icf770c75cf3a84420116f47ad691d9f06191fb65
