We need jeepyb installed because the content of the gerrit hook scripts
we install is done via jeepyb commands. Use python-builder so that we
can just install the jeepyb wheel.
Should we maybe transition these hooks into being zuul jobs?
Depends-On: https://review.opendev.org/683146/
Change-Id: I8899885b05d1e9f48b3f354ca22b360b54d455a3
Use latest bazel
It seems 0.27 is now too old. This is what happens when I go on vacation
apparently.
Add in a hack to override the bazelversion. We'll remove this once
https://gerrit-review.googlesource.com/c/gerrit/+/237495 lands and
has been merged up.
Change-Id: Ib7a6d33ce8bf8498fd5cd09b25087dc09acb8df4
There is a bunch of duplication which needs to be redone almost never.
Split those into their own images so we can run them once and reuse them.
Change-Id: I923d4bff96dae75eb52a1c271fa52d5ae79933a0
We had some extra bazel options that don't seem to be necessary
anymore now that we are using upstream bazel options appropriately.
Retry the build a couple of times if it goes south, inside of the
build image. This should allow re-use of the cache the second time,
and if there is a temporary error, it should pick up and move
forward.
Change-Id: I5f304acb21fd3a4d40701fc0414ae0c424c838e5
During the Gerrit Hackathon, we learned some things about setting
bazel options. Use the ones recommended in upstream docs rather than
these. The outcome should be largely the same.
Change-Id: I32b4c567488f0739fb80f69dc881b9837803575c
We almost merged I7ed75d253857f86b68f67023af6897af4e1b4f50 which would
have broken production Ansible runs due to a issue with the upgraded
Ansible and listener syntaxes. CI was picking this up, but the jobs
weren't running on this change (in this case, it was noticed in a
follow-on job that triggered the letsencrypt jobs to run).
Add this file to all ansible tests so that if we bump versions of
ansible/openstacksdk/ara etc, we run all the tests in the gate.
Change-Id: I738c4e7721bd126e8e109c5ea1f38eba9e07b22b
We don't need things like efi configs or pxeboot configs or ISOs.
Exclude these items to further reduce the size of the fedora mirror.
Change-Id: I93003b2f48d79dae627026e2c7af748ea9a9e34d
This change will add our IRC bots to the newly formed Ansible SIG,
in addition, it removes #dox in order to stay within the 120
channel limit.
The dox project has not seen a commit in 2 years and the channel
is pretty much empty/abanonded.
Change-Id: I3acd3cb77a9f71eb80921f4cbf2162113f40efea
This is the base url that will be used for log reporting.
Depends-On: https://review.opendev.org/675655
Change-Id: Ia92a34e9ed506931e0d736ac034f60f4f7c381fc
The backup roles have been debugged and are ready to run.
A note is added about having the backup server in a default disabled
state. This was discussed at an infra meeting where consensus was to
keep it disabled [1].
[1] http://eavesdrop.openstack.org/meetings/infra/2019/infra.2019-06-11-19.01.log.html#l-184
Change-Id: I2a3d2d08a9d1514bf6bdcf15bc5bc95689f3020f
The ssh config file is /.ssh/config (not ssh_config)
We are accepting the ed25519 key, not the ecdsa key, so fix that in
the known_hosts stanza.
Change-Id: If3a42a7872f5d5e7a2bf9c3b5184fb14d43e6a1a
In order to confirm configuration management is working cleanly for
wiki-dev.openstack.org deployments, a new wiki-dev03 has been built
and the old wiki-dev02 deleted. These are not production hosts so
this change can be merged at any time. DNS has also been updated for
them accordingly.
Change-Id: I61ae138b10d51caef2cdd26ca8adaf9d59728ac8
Currently we don't have any logs from our gitea sshd processes because
sshd logs to syslog by default and /dev/log isn't in our containers. You
can ask sshd nicely to log to stderr instead with the -e flag which
docker will pick up and store for us.
Update the sshd command to include -e then use testinfra to check we
collect logs and they are accssible from docker.
Change-Id: Ib7d6d405554c3c30be410bc08c6fee7d4363b096
This is a new backup server for use with the roles in
I9bf74df351e056791ed817180436617048224d2c
Restrict the puppet group to only the openstack.org servers as this
new server doesn't need puppet.
Depends-On: https://review.opendev.org/674549
Change-Id: Ia8e2e01f579ed9475830c159bf266b63bed52c36
This introduces two new roles for managing the backup-server and hosts
that we wish to back up.
Firstly the "backup" role runs on hosts we wish to backup. This
generates and configures a separate ssh key for running bup and
installs the appropriate cron job to run the backup daily.
The "backup-server" job runs on the backup server (or, indeed
servers). It creates users for each backup host, accepts the remote
keys mentioned above and initalises bup. It is then ready to receive
backups from the remote hosts.
This eliminates a fairly long-standing requirement for manual setup of
the backup server users and keys; this section is removed from the
documentation.
testinfra coverage is added.
Change-Id: I9bf74df351e056791ed817180436617048224d2c
The fedora mirror is our largest mirror (850GB about twice as big as the
next mirror). Much of this size is due to the fedora atomic images we
mirror.
On further investigation I notice that we are mirroring ppc images (for
which we do not have cpus to run them on), image for fedora 25 and 36
which are quite EOL'd, and our exclusion of the raw.xz and vagrant
images is failing.
Update the rsync excludes to ensure we don't mirror any of these images
we don't need.
Change-Id: I86856cb4e51b0e687aac45a1f014f87c5141318f
pubmirror1.math.uh.edu is currently offline and listed as an altonly.
pubmirror2 seems to work fine so switch to it.
Change-Id: I2562f8686146d17d4fad3997b9be22361fa05fca
Because of a limitation in GnuPG we need to have the Jessie archive
signing key in the list of VerifyRelease key IDs for the Debian
reprepro mirror. Also some suites (currently buster-backports) are
signed by a subkey of an archive signing key, so add the "+" suffix
to all these key IDs indicating subkey signatures are also allowed.
As always, Debian signing keys are published and available here:
https://ftp-master.debian.org/keys.html
Change-Id: Iedce38318718a18ace7b2c638755a7d7d4dcd69b
This can be used in an apache vhost later, but should be fine to
merge now.
Depends-On: https://review.opendev.org/673902
Change-Id: Ic2cb7585433351ec1bdabd88915fa1ca07da44e7
We don't want nodepool to use floating IPs in the fn cloud as it is an
ipv6 only cloud. We explicitly tell it there is no fip source and that
the tenant network routes ipv6 externally. This config is based on the
limestone configuration which is a similar cloud network wise.
Change-Id: I4a27a22a5beb9c5fc9d3e16cd2ca5b41aecbb46f
Networking got weird on the previous host so we rebuilt this one going
back to networking we expect to work (FIPs and all that). This updates
the inventory so that we configure the host properly.
Change-Id: I0dcdbc9efdd330d66b57da0b01d23dd3d747f79b
In our launch node script we have the option to ignore ipv6 to deal with
clouds like ovh that report an ipv6 address but don't actually provide
that data to the instance so it cannot configure ipv6. When we ignore
ipv6 we should not try to use the ipv6 address at all.
Use the public_v4 address in this case when writing out an ansible
inventory to run the base.yaml playbook when launching the node.
Otherwise we could use ipv6 which doesn't work.
Change-Id: I2ce5cc0db9852d3426828cf88965819f88b3ebd5
The buster-backports suite on Debian mirrors is not signed by the
old jessie signing key we have set to verify in reprepro, but also
we're not mirroring Debian 8/jessie any longer anyway. Replace that
list with the 9/stretch and 10/buster signing keys and switch to
longer key IDs which match the names used for them in the Puppet
manifest. Also add Puppetry and keyfile for the buster keys so that
they will be installed accordingly. The official list of keys can be
found here: https://ftp-master.debian.org/keys.html
Change-Id: Ia193f040b2b707329948955eb091a186eabf8096
Add the gitea07.opendev.org and gitea08.opendev.org servers into the
haproxy pools now that they've been seeded with current data. Remove
the create repos task disable list entries for them as well.
Change-Id: I69390e6a32b01cc1713839f326fa930c376282af
Add new IP addresses to inventory for the rebuilds, but don't
reactivate them in the haproxy pools yet (they're already excluded
from the repository creation task).
Change-Id: I1e3fc1ba56015eeab2c6256b3f90188ecabf23cc
Add the gitea05.opendev.org server into the haproxy pools now that
it's been seeded with current data. Switch the create repos task
disable list from 05 to 07 and 08, and remove 07 and 08 from the
Ansible inventory and comment them out in the haproxy pools in
preparation for replacement.
To the casual observer it may appear gitea06 is being skipped, but
it was replaced first out of sequence due to filesystem corruption
during the PTG. The increased performance of the 75% of the nodes
which have already been replaced means we can get by doing the final
25% at the same time (so two servers at once).
Change-Id: Ia49157c16582b7ed0dbef3eb9d07bf7f1d4450b9
The fortnebula mirror is being rebuilt while the environment there
is under some refactoring. The old mirror isn't reachable any longer
so removing it from our inventory while adding its replacement
should be safe.
Also update the letsencrypt playbooks for the new name.
Change-Id: I789248e4216f4cf059ccc5b071c2a784f9c629e9
