From d93a661ae4ae5c282947bc3cc71c195bf0c410da Mon Sep 17 00:00:00 2001 From: Monty Taylor Date: Tue, 26 May 2020 17:41:54 -0500 Subject: [PATCH] Run iptables in service playbooks instead of base It's the only part of base that's important to run when we run a service. Run it in the service playbooks and get rid of the dependency on infra-prod-base. Continue running it in base so that new nodes are brought up with iptables in place. Bump the timeout for the mirror job, because the iptables addition seems to have just bumped it over the edge. Change-Id: I4608216f7a59cfa96d3bdb191edd9bc7bb9cca39 --- playbooks/base.yaml | 2 +- .../roles/{base => }/iptables/README.rst | 0 .../{base => }/iptables/defaults/main.yaml | 0 .../{base => }/iptables/handlers/main.yaml | 0 .../{base => }/iptables/tasks/RedHat.yaml | 0 .../roles/{base => }/iptables/tasks/main.yaml | 0 .../{base => }/iptables/templates/rules.v4.j2 | 0 .../{base => }/iptables/templates/rules.v6.j2 | 0 .../{base => }/iptables/vars/Debian.yaml | 0 .../{base => }/iptables/vars/RedHat.yaml | 0 .../iptables/vars/Ubuntu.trusty.yaml | 0 playbooks/roles/run-puppet/tasks/main.yaml | 2 + playbooks/service-backup.yaml | 2 + playbooks/service-bridge.yaml | 1 + playbooks/service-codesearch.yaml | 1 + playbooks/service-eavesdrop.yaml | 1 + playbooks/service-etherpad.yaml | 1 + playbooks/service-gitea-lb.yaml | 1 + playbooks/service-gitea.yaml | 1 + playbooks/service-letsencrypt.yaml | 2 +- playbooks/service-meetpad.yaml | 2 + playbooks/service-mirror-update.yaml | 1 + playbooks/service-mirror.yaml | 1 + playbooks/service-nameserver.yaml | 2 + playbooks/service-nodepool.yaml | 3 + playbooks/service-registry.yaml | 1 + playbooks/service-review-dev.yaml | 1 + playbooks/service-review.yaml | 1 + playbooks/service-static.yaml | 1 + playbooks/service-zookeeper.yaml | 1 + playbooks/service-zuul-preview.yaml | 1 + playbooks/service-zuul.yaml | 1 + testinfra/test_base.py | 1 - testinfra/test_zuul.py | 73 +++++++++++++++++++ zuul.d/infra-prod.yaml | 35 +++++---- zuul.d/project.yaml | 2 - zuul.d/system-config-run.yaml | 1 + 37 files changed, 123 insertions(+), 19 deletions(-) rename playbooks/roles/{base => }/iptables/README.rst (100%) rename playbooks/roles/{base => }/iptables/defaults/main.yaml (100%) rename playbooks/roles/{base => }/iptables/handlers/main.yaml (100%) rename playbooks/roles/{base => }/iptables/tasks/RedHat.yaml (100%) rename playbooks/roles/{base => }/iptables/tasks/main.yaml (100%) rename playbooks/roles/{base => }/iptables/templates/rules.v4.j2 (100%) rename playbooks/roles/{base => }/iptables/templates/rules.v6.j2 (100%) rename playbooks/roles/{base => }/iptables/vars/Debian.yaml (100%) rename playbooks/roles/{base => }/iptables/vars/RedHat.yaml (100%) rename playbooks/roles/{base => }/iptables/vars/Ubuntu.trusty.yaml (100%) create mode 100644 testinfra/test_zuul.py diff --git a/playbooks/base.yaml b/playbooks/base.yaml index da326d1078..a784ef330c 100644 --- a/playbooks/base.yaml +++ b/playbooks/base.yaml @@ -8,4 +8,4 @@ - base/unbound - base/exim - base/snmpd - - base/iptables + - iptables diff --git a/playbooks/roles/base/iptables/README.rst b/playbooks/roles/iptables/README.rst similarity index 100% rename from playbooks/roles/base/iptables/README.rst rename to playbooks/roles/iptables/README.rst diff --git a/playbooks/roles/base/iptables/defaults/main.yaml b/playbooks/roles/iptables/defaults/main.yaml similarity index 100% rename from playbooks/roles/base/iptables/defaults/main.yaml rename to playbooks/roles/iptables/defaults/main.yaml diff --git a/playbooks/roles/base/iptables/handlers/main.yaml b/playbooks/roles/iptables/handlers/main.yaml similarity index 100% rename from playbooks/roles/base/iptables/handlers/main.yaml rename to playbooks/roles/iptables/handlers/main.yaml diff --git a/playbooks/roles/base/iptables/tasks/RedHat.yaml b/playbooks/roles/iptables/tasks/RedHat.yaml similarity index 100% rename from playbooks/roles/base/iptables/tasks/RedHat.yaml rename to playbooks/roles/iptables/tasks/RedHat.yaml diff --git a/playbooks/roles/base/iptables/tasks/main.yaml b/playbooks/roles/iptables/tasks/main.yaml similarity index 100% rename from playbooks/roles/base/iptables/tasks/main.yaml rename to playbooks/roles/iptables/tasks/main.yaml diff --git a/playbooks/roles/base/iptables/templates/rules.v4.j2 b/playbooks/roles/iptables/templates/rules.v4.j2 similarity index 100% rename from playbooks/roles/base/iptables/templates/rules.v4.j2 rename to playbooks/roles/iptables/templates/rules.v4.j2 diff --git a/playbooks/roles/base/iptables/templates/rules.v6.j2 b/playbooks/roles/iptables/templates/rules.v6.j2 similarity index 100% rename from playbooks/roles/base/iptables/templates/rules.v6.j2 rename to playbooks/roles/iptables/templates/rules.v6.j2 diff --git a/playbooks/roles/base/iptables/vars/Debian.yaml b/playbooks/roles/iptables/vars/Debian.yaml similarity index 100% rename from playbooks/roles/base/iptables/vars/Debian.yaml rename to playbooks/roles/iptables/vars/Debian.yaml diff --git a/playbooks/roles/base/iptables/vars/RedHat.yaml b/playbooks/roles/iptables/vars/RedHat.yaml similarity index 100% rename from playbooks/roles/base/iptables/vars/RedHat.yaml rename to playbooks/roles/iptables/vars/RedHat.yaml diff --git a/playbooks/roles/base/iptables/vars/Ubuntu.trusty.yaml b/playbooks/roles/iptables/vars/Ubuntu.trusty.yaml similarity index 100% rename from playbooks/roles/base/iptables/vars/Ubuntu.trusty.yaml rename to playbooks/roles/iptables/vars/Ubuntu.trusty.yaml diff --git a/playbooks/roles/run-puppet/tasks/main.yaml b/playbooks/roles/run-puppet/tasks/main.yaml index 9efa7e999d..ea2f11474c 100644 --- a/playbooks/roles/run-puppet/tasks/main.yaml +++ b/playbooks/roles/run-puppet/tasks/main.yaml @@ -1,4 +1,6 @@ # Use include_role instead of roles: so that we can late-bind the roles list +- include_role: + name: iptables - include_role: name: install-ansible-roles - include_role: diff --git a/playbooks/service-backup.yaml b/playbooks/service-backup.yaml index 2dfdcd40e3..fc66a03a48 100644 --- a/playbooks/service-backup.yaml +++ b/playbooks/service-backup.yaml @@ -3,8 +3,10 @@ - hosts: "backup:!disabled" name: "Base: Generate backup users and keys" roles: + - iptables - backup - hosts: "backup-server:!disabled" name: "Generate bup configuration" roles: + - iptables - backup-server diff --git a/playbooks/service-bridge.yaml b/playbooks/service-bridge.yaml index ce5a6c0dbf..74b746dde9 100644 --- a/playbooks/service-bridge.yaml +++ b/playbooks/service-bridge.yaml @@ -1,6 +1,7 @@ - hosts: bridge.openstack.org:!disabled name: "Bridge: configure the bastion host" roles: + - iptables - edit-secrets-script - install-docker tasks: diff --git a/playbooks/service-codesearch.yaml b/playbooks/service-codesearch.yaml index e0f0ff3bcf..ac3c6bdead 100644 --- a/playbooks/service-codesearch.yaml +++ b/playbooks/service-codesearch.yaml @@ -2,6 +2,7 @@ name: "codesearch: run puppet on codesearch" strategy: free roles: + - iptables - sync-project-config - name: run-puppet manifest: /opt/system-config/production/manifests/codesearch.pp diff --git a/playbooks/service-eavesdrop.yaml b/playbooks/service-eavesdrop.yaml index a8ed205f6e..f41d9db53d 100644 --- a/playbooks/service-eavesdrop.yaml +++ b/playbooks/service-eavesdrop.yaml @@ -2,6 +2,7 @@ name: "eavesdrop: run puppet on eavesdrop" strategy: free roles: + - iptables - zuul-user - sync-project-config - install-docker diff --git a/playbooks/service-etherpad.yaml b/playbooks/service-etherpad.yaml index 208686b507..94cf0a7390 100644 --- a/playbooks/service-etherpad.yaml +++ b/playbooks/service-etherpad.yaml @@ -1,5 +1,6 @@ - hosts: "etherpad01.opendev.org:!disabled" name: "Base: configure etherpad" roles: + - iptables - install-docker - etherpad diff --git a/playbooks/service-gitea-lb.yaml b/playbooks/service-gitea-lb.yaml index 6a13f142a1..466c41392a 100644 --- a/playbooks/service-gitea-lb.yaml +++ b/playbooks/service-gitea-lb.yaml @@ -1,5 +1,6 @@ - hosts: "gitea-lb:!disabled" name: "Base: configure gitea load balancer" roles: + - iptables - install-docker - haproxy diff --git a/playbooks/service-gitea.yaml b/playbooks/service-gitea.yaml index 66282f50b8..a4fc1f09d7 100644 --- a/playbooks/service-gitea.yaml +++ b/playbooks/service-gitea.yaml @@ -2,5 +2,6 @@ name: "Base: configure gitea" serial: 1 roles: + - iptables - install-docker - gitea diff --git a/playbooks/service-letsencrypt.yaml b/playbooks/service-letsencrypt.yaml index 1033611c92..a002728603 100644 --- a/playbooks/service-letsencrypt.yaml +++ b/playbooks/service-letsencrypt.yaml @@ -5,7 +5,7 @@ roles: - install-certcheck - hosts: "letsencrypt:!disabled" - name: "Base: deploy and renew certificates" + name: "Deploy and renew certificates" roles: - letsencrypt-acme-sh-install - letsencrypt-request-certs diff --git a/playbooks/service-meetpad.yaml b/playbooks/service-meetpad.yaml index 63dced8c85..e639752806 100644 --- a/playbooks/service-meetpad.yaml +++ b/playbooks/service-meetpad.yaml @@ -1,12 +1,14 @@ - hosts: "meetpad:!disabled" name: "Configure meetpad" roles: + - iptables - install-docker - jitsi-meet - hosts: "jvb:!disabled" name: "Configure extra jitsi video bridges" roles: + - iptables - install-docker - role: jitsi-meet docker_compose_file: jvb-docker-compose.yaml diff --git a/playbooks/service-mirror-update.yaml b/playbooks/service-mirror-update.yaml index 116a2c3350..705177fce5 100644 --- a/playbooks/service-mirror-update.yaml +++ b/playbooks/service-mirror-update.yaml @@ -1,6 +1,7 @@ - hosts: "mirror-update:!disabled" name: "Configure mirror-update" roles: + - role: iptables - role: kerberos-client kerberos_realm: 'OPENSTACK.ORG' kerberos_admin_server: 'kdc.openstack.org' diff --git a/playbooks/service-mirror.yaml b/playbooks/service-mirror.yaml index 961c9d2479..01844ff1a4 100644 --- a/playbooks/service-mirror.yaml +++ b/playbooks/service-mirror.yaml @@ -1,6 +1,7 @@ - hosts: "mirror:!disabled" name: "Configure per region opendev mirrors" roles: + - role: iptables - role: kerberos-client kerberos_realm: 'OPENSTACK.ORG' kerberos_admin_server: 'kdc.openstack.org' diff --git a/playbooks/service-nameserver.yaml b/playbooks/service-nameserver.yaml index f954c90c8a..508dc93a8f 100644 --- a/playbooks/service-nameserver.yaml +++ b/playbooks/service-nameserver.yaml @@ -1,10 +1,12 @@ - hosts: adns:!disabled name: "Base: configure adns server" roles: + - iptables - master-nameserver - hosts: "ns1.opendev.org:ns2.opendev.org:!disabled" name: "Base: configure authoritative nameservers" roles: + - iptables - nameserver diff --git a/playbooks/service-nodepool.yaml b/playbooks/service-nodepool.yaml index ee7db05997..51f5178fa2 100644 --- a/playbooks/service-nodepool.yaml +++ b/playbooks/service-nodepool.yaml @@ -2,6 +2,7 @@ name: "Configure nodepool builders" strategy: free roles: + - iptables - install-docker - nodepool-base - configure-openstacksdk @@ -11,6 +12,7 @@ name: "run puppet on all older servers" strategy: free roles: + - iptables - nodepool-base-legacy - configure-openstacksdk - configure-kubectl @@ -20,6 +22,7 @@ name: "Configure nodepool launchers" strategy: free roles: + - iptables - install-docker - nodepool-base - configure-openstacksdk diff --git a/playbooks/service-registry.yaml b/playbooks/service-registry.yaml index 7b8a402a41..2cb1db874e 100644 --- a/playbooks/service-registry.yaml +++ b/playbooks/service-registry.yaml @@ -1,5 +1,6 @@ - hosts: "registry:!disabled" name: "Base: configure registry" roles: + - iptables - install-docker - registry diff --git a/playbooks/service-review-dev.yaml b/playbooks/service-review-dev.yaml index 1a9f26966e..f1b545fbef 100644 --- a/playbooks/service-review-dev.yaml +++ b/playbooks/service-review-dev.yaml @@ -1,6 +1,7 @@ - hosts: "review-dev:!disabled" name: "Configure gerrit on review-dev" roles: + - iptables - install-docker - role: gerrit gerrit_ssh_rsa_key_contents: "{{ gerrit_dev_ssh_rsa_key_contents }}" diff --git a/playbooks/service-review.yaml b/playbooks/service-review.yaml index 6f85d05644..24da323dc6 100644 --- a/playbooks/service-review.yaml +++ b/playbooks/service-review.yaml @@ -1,5 +1,6 @@ - hosts: "review:!disabled" name: "Configure gerrit" roles: + - iptables - install-docker - gerrit diff --git a/playbooks/service-static.yaml b/playbooks/service-static.yaml index a425036101..31da7b08e0 100644 --- a/playbooks/service-static.yaml +++ b/playbooks/service-static.yaml @@ -1,6 +1,7 @@ - hosts: "static:!disabled" name: "Static webserver" roles: + - role: iptables - role: kerberos-client kerberos_realm: 'OPENSTACK.ORG' kerberos_admin_server: 'kdc.openstack.org' diff --git a/playbooks/service-zookeeper.yaml b/playbooks/service-zookeeper.yaml index 81a4d5602d..4b758e5726 100644 --- a/playbooks/service-zookeeper.yaml +++ b/playbooks/service-zookeeper.yaml @@ -12,5 +12,6 @@ name: "Configure Zookeeper" serial: 1 roles: + - iptables - install-docker - zookeeper diff --git a/playbooks/service-zuul-preview.yaml b/playbooks/service-zuul-preview.yaml index a042ebacd3..c7698331e3 100644 --- a/playbooks/service-zuul-preview.yaml +++ b/playbooks/service-zuul-preview.yaml @@ -1,5 +1,6 @@ - hosts: "zuul-preview:!disabled" name: "Base: configure zuul-preview" roles: + - iptables - install-docker - zuul-preview diff --git a/playbooks/service-zuul.yaml b/playbooks/service-zuul.yaml index 01c9af4dd2..e4e372e438 100644 --- a/playbooks/service-zuul.yaml +++ b/playbooks/service-zuul.yaml @@ -11,6 +11,7 @@ - hosts: "zuul:!disabled" name: "Configure zuul servers" roles: + - iptables - install-docker - zuul diff --git a/testinfra/test_base.py b/testinfra/test_base.py index c6f0e4f909..8a5428a16f 100644 --- a/testinfra/test_base.py +++ b/testinfra/test_base.py @@ -14,7 +14,6 @@ import socket - testinfra_hosts = ['all'] diff --git a/testinfra/test_zuul.py b/testinfra/test_zuul.py new file mode 100644 index 0000000000..73cbff4825 --- /dev/null +++ b/testinfra/test_zuul.py @@ -0,0 +1,73 @@ +# Copyright 2018 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import socket + + +testinfra_hosts = [ + 'ze01.opendev.org', + 'zm01.openstack.org', + 'zuul01.openstack.org', +] + + +def get_ips(value, family=None): + ret = set() + try: + addr_info = socket.getaddrinfo(value, None, family) + except socket.gaierror: + return ret + for addr in addr_info: + ret.add(addr[4][0]) + return ret + + +def test_iptables(host): + rules = host.iptables.rules() + rules = [x.strip() for x in rules] + + needed_rules = [ + '-P INPUT ACCEPT', + '-P FORWARD DROP', + '-P OUTPUT ACCEPT', + '-N openstack-INPUT', + '-A INPUT -j openstack-INPUT', + '-A openstack-INPUT -i lo -j ACCEPT', + '-A openstack-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT', + '-A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT', + '-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT', + '-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited' + ] + for rule in needed_rules: + assert rule in rules + + # Make sure that the gearman port is open to executors on the scheduler + if host.backend.get_hostname() == 'zuul01.openstack.org': + for ip in get_ips('ze01.opendev.org', socket.AF_INET): + zuul = ('-A openstack-INPUT -s %s/32 -p tcp -m state --state NEW' + ' -m tcp --dport 4730 -j ACCEPT' % ip) + assert zuul in rules + + # Ensure all IPv4+6 addresses for cacti are allowed + for ip in get_ips('cacti.openstack.org', socket.AF_INET): + snmp = ('-A openstack-INPUT -s %s/32 -p udp -m udp' + ' --dport 161 -j ACCEPT' % ip) + assert snmp in rules + + # TODO(ianw) add ip6tables support to testinfra iptables module + ip6rules = host.check_output('ip6tables -S') + for ip in get_ips('cacti.openstack.org', socket.AF_INET6): + snmp = ('-A openstack-INPUT -s %s/128 -p udp -m udp' + ' --dport 161 -j ACCEPT' % ip) + assert snmp in ip6rules diff --git a/zuul.d/infra-prod.yaml b/zuul.d/infra-prod.yaml index cb766be147..7087a89f11 100644 --- a/zuul.d/infra-prod.yaml +++ b/zuul.d/infra-prod.yaml @@ -69,8 +69,6 @@ dependencies: - name: infra-prod-install-ansible soft: true - - name: infra-prod-base - soft: true files: - inventory/ - playbooks/service-letsencrypt.yaml @@ -105,8 +103,6 @@ dependencies: - name: infra-prod-install-ansible soft: true - - name: infra-prod-base - soft: true - name: infra-prod-service-letsencrypt soft: true @@ -120,6 +116,7 @@ - inventory/ - playbooks/service-bridge.yaml - playbooks/host_vars/bridge.openstack.org.yaml + - playbooks/roles/iptables/ - playbooks/roles/logrotate/ - playbooks/roles/edit-secrets-script/ - playbooks/roles/install-kubectl/ @@ -138,6 +135,7 @@ - playbooks/service-gitea-lb.yaml - playbooks/group_vars/gitea-lb.yaml - playbooks/roles/pip3/ + - playbooks/roles/iptables/ - playbooks/roles/install-docker/ - playbooks/roles/haproxy/ @@ -157,6 +155,7 @@ - playbooks/group_vars/ns.yaml - playbooks/roles/master-nameserver/ - playbooks/roles/nameserver/ + - playbooks/roles/iptables/ - job: name: infra-prod-service-nodepool @@ -179,6 +178,7 @@ - playbooks/roles/configure-kubectl/ - playbooks/roles/configure-openstacksdk/ - playbooks/roles/install-docker/ + - playbooks/roles/iptables/ - playbooks/roles/nodepool - playbooks/templates/clouds/nodepool_ @@ -197,6 +197,7 @@ - playbooks/roles/pip3/ - playbooks/roles/etherpad - playbooks/roles/logrotate + - playbooks/roles/iptables/ - job: name: infra-prod-service-meetpad @@ -205,8 +206,6 @@ dependencies: - name: infra-prod-install-ansible soft: true - - name: infra-prod-base - soft: true - name: infra-prod-service-letsencrypt soft: true - name: system-config-promote-image-jitsi-meet @@ -220,6 +219,7 @@ - playbooks/group_vars/meetpad.yaml - playbooks/roles/pip3/ - playbooks/roles/install-docker/ + - playbooks/roles/iptables/ - playbooks/roles/jitsi-meet/ - job: @@ -234,6 +234,7 @@ - playbooks/roles/kerberos-client/ - playbooks/roles/openafs-client/ - playbooks/roles/mirror-update/ + - playbooks/roles/iptables/ - playbooks/roles/logrotate/ - job: @@ -251,6 +252,7 @@ - playbooks/roles/mirror/ - playbooks/roles/afs-release/ - playbooks/roles/afsmon/ + - playbooks/roles/iptables/ - playbooks/roles/logrotate/ - job: @@ -264,6 +266,7 @@ - playbooks/service-static.yaml - playbooks/host_vars/static01.opendev.org.yaml - playbooks/group_vars/static.yaml + - playbooks/roles/iptables/ - playbooks/roles/kerberos-client/ - playbooks/roles/openafs-client/ - playbooks/roles/static/ @@ -280,6 +283,7 @@ - playbooks/service-backup.yaml - playbooks/roles/backup/ - playbooks/roles/backup-server/ + - playbooks/roles/iptables/ - job: name: infra-prod-service-registry @@ -293,6 +297,7 @@ - playbooks/group_vars/registry.yaml - playbooks/roles/pip3/ - playbooks/roles/install-docker/ + - playbooks/roles/iptables/ - playbooks/roles/registry/ - job: @@ -307,6 +312,7 @@ - playbooks/group_vars/zuul-preview.yaml - playbooks/roles/pip3/ - playbooks/roles/install-docker/ + - playbooks/roles/iptables/ - playbooks/roles/zuul-preview/ - job: @@ -321,6 +327,7 @@ - ^playbooks/host_vars/zk\d+\..* - playbooks/roles/pip3/ - playbooks/roles/install-docker/ + - playbooks/roles/iptables/ - playbooks/roles/zookeeper/ - job: @@ -337,8 +344,6 @@ dependencies: - name: infra-prod-install-ansible soft: true - - name: infra-prod-base - soft: true - name: infra-prod-service-letsencrypt soft: true - name: infra-prod-manage-projects @@ -352,6 +357,7 @@ - playbooks/host_vars/zk\d+ - playbooks/host_vars/zuul01.openstack.org - playbooks/roles/install-docker/ + - playbooks/roles/iptables/ - playbooks/roles/zookeeper/ - playbooks/roles/zuul @@ -364,8 +370,6 @@ dependencies: &infra_prod_service_review_deps - name: infra-prod-install-ansible soft: true - - name: infra-prod-base - soft: true - name: infra-prod-service-letsencrypt soft: true - name: system-config-promote-image-gerrit-2.13 @@ -377,6 +381,7 @@ - playbooks/host_vars/review01.openstack.org.yaml - playbooks/roles/pip3/ - playbooks/roles/install-docker/ + - playbooks/roles/iptables/ - playbooks/roles/gerrit/ - job: @@ -393,6 +398,7 @@ - playbooks/host_vars/review-dev01.opendev.org.yaml - playbooks/roles/pip3/ - playbooks/roles/install-docker/ + - playbooks/roles/iptables/ - playbooks/roles/gerrit/ - job: @@ -404,8 +410,6 @@ dependencies: - name: infra-prod-install-ansible soft: true - - name: infra-prod-base - soft: true - name: infra-prod-service-letsencrypt soft: true - name: system-config-promote-image-gitea-init @@ -420,6 +424,7 @@ - playbooks/roles/install-docker/ - playbooks/roles/pip3/ - playbooks/roles/gitea/ + - playbooks/roles/iptables/ - playbooks/roles/logrotate/ - docker/gitea/ - docker/gitea-init/ @@ -443,6 +448,7 @@ - playbooks/group_vars/puppet.yaml - playbooks/roles/run-puppet/ - playbooks/roles/install-ansible-roles/ + - playbooks/roles/iptables/ - playbooks/roles/sync-project-config - playbooks/roles/puppet-install/ - playbooks/roles/disable-puppet-agent/ @@ -461,8 +467,6 @@ dependencies: - name: infra-prod-install-ansible soft: true - - name: infra-prod-base - soft: true - name: infra-prod-service-letsencrypt soft: true - name: system-config-promote-image-accessbot @@ -479,6 +483,7 @@ - playbooks/roles/install-ansible-roles/ - playbooks/roles/zuul-user - playbooks/roles/install-docker + - playbooks/roles/iptables/ - playbooks/roles/puppet-install/ - playbooks/roles/disable-puppet-agent/ - playbooks/roles/accessbot @@ -526,6 +531,7 @@ - playbooks/roles/install-ansible-roles/ - playbooks/roles/puppet-install/ - playbooks/roles/disable-puppet-agent/ + - playbooks/roles/iptables/ - playbooks/roles/vos-release/ - modules/ - manifests/ @@ -551,6 +557,7 @@ - playbooks/roles/install-ansible-roles/ - playbooks/roles/puppet-install/ - playbooks/roles/disable-puppet-agent/ + - playbooks/roles/iptables/ - modules/ - manifests/ diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 5ff9414b34..4083e6a521 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -204,8 +204,6 @@ dependencies: - name: infra-prod-install-ansible soft: true - - name: infra-prod-base - soft: true - name: infra-prod-service-letsencrypt soft: true - name: system-config-promote-image-etherpad diff --git a/zuul.d/system-config-run.yaml b/zuul.d/system-config-run.yaml index e266a97ab9..700dcea113 100644 --- a/zuul.d/system-config-run.yaml +++ b/zuul.d/system-config-run.yaml @@ -374,6 +374,7 @@ - job: name: system-config-run-mirror-x86 parent: system-config-run-mirror-base + timeout: 3600 nodeset: nodes: - name: bridge.openstack.org