Commit Graph

210 Commits (master)

Author SHA1 Message Date
Jeremy Stanley a6ab3543fc Move Airship and Kata lists to Mailman 3
This uncomments the list additions for the and sites on the new mailman server, removing
the configuration for them from the server and, in
the case of the latter, removing all our configuration management
for the server as it was the only site hosted there.

Change-Id: Ic1c735469583e922313797f709182f960e691efc
2023-09-14 12:08:34 +00:00
Clark Boylan ef450d1bce Update to Gitea 1.20
The 1.20 release is here. Upgrade to this version.

Things we change:
 * Nodejs is updated to v20 to match the alpine 3.18 package version
   that gitea switched to.
 * Templates are updated to match upstream 1.20 templates.
 * We drop the deprecated LFS_CONTENT_PATH from our server config and
   add an equivalent [lfs] config section.
 * Normalize app.ini content so that gitea won't write it back out to
   disk which fails due to permissions (and we don't want it overriding
   our configs anyway). For this we need to add WORK_PATH,
   oauth2.JWT_SECRET, and normliazing spacing and quoting for entries.
 * Set JWT_SIGNING_PRIVATE_KEY_FILE explicitly to be located at
   /data/gitea/jwt/private.pem otherwise gitea attempts to create the
   jwt/ directory somewhere it doesn't have permissions to (I think /)
   and won't be persisted across containers.
 * Replace log.ENABLE_ACCESS_LOG with log.logger.access.MODE = file as
   log.ENABLE_ACCESS_LOG is deprecated and doesn't appear to work
   anymore. This appears to be a documentation issue or they deprecated
   and removed things more quickly than originaly anticipated.
 * Add log.ACCESS_LOG_TEMPLATE to readd source port info to the access
 * Add a templates/custom/header.tmpl file to set theme-color as the
   config item for this has been removed.

The 1.20.0 changelog [0] lists a number of breaking changes. I have
tried to capture there here as well as potential impacts to us:

 * Fix WORK_DIR for docker (root) image (#25738) (#25811)
   * We set APP_DATA_PATH to /data/gitea in our app.ini config which
     means we aren't relying on the inferred value from WORK_DIR. I
     think this isolates us from this chnage. But we can check for any
     content in /app/gitea on our running containers to be sure.
     Note we hardcode WORK_PATH to /data/gitea because gitea attempts to
     write this back to our config file otherwise as a result of this
 * Restrict [actions].DEFAULT_ACTIONS_URL to only github or self (#25581) (#25604)
   * We disable actions. This shouldn't affect us.
 * Refactor path & config system (#25330) (#25416)
   * This is related to the first breaking changes. Basically we need
     to check our use of WORK_PATH and determine if we need to hardcode
     it to something. Probably a good idea given how they keep changing
     this on us...
 * Fix all possible setting error related storages and added some tests (#23911) (#25244)
   * We don't use storage configs. This shouldn't affect us.
 * Use a separate admin page to show global stats, remove actions stat (#25062)
   * The breaking change only affects the use of Prometheus which we
     don't have yet.
 * Remove the service worker (#25010)
   * Is listed as a breaking change for UI cleanup that we don't need to
     cleanup. (ui.USE_SERVICE_WORKER can be removed).
 * Remove meta tags theme-color and default-theme (#24960)
   * Addressed by adding a custome templates/custom/header.tmpl file
     that sets this meta tag to the existing value. Note this only
     affects mobile clients so needs to be double checked via a mobile
 * Use [git.config] for reflog cleaning up (#24958)
   * Affects git.reflog config entries and we don' thave any.
 * Allow all URL schemes in Markdown links by default (#24805)
   * TODO determine if we need to limit link types and add that
     change if so. A point release was made to exclude bad types
     already. Not sure if there are others we need to add.
 * Redesign Scoped Access Tokens (#24767)
   * This breaks scoped tokens with scopes that don't exist anymore.
     I don't think we use scoped tokens.
 * Fix team members API endpoint pagination (#24754)
   * They 1 index the pagination of this endpoint now instead of 0
     indexing it.
 * Rewrite logger system (#24726)
   * They made changes to the loggers and encourage people to check
     their logs work as expected when upgrading. Using our test instance
     logs I don't see anything that is a problem.
 * Increase default LFS auth timeout from 20m to 24h (#24628)
   * We don't LFS but can change the timeout if necssary.
 * Rewrite queue (#24505)
   * Check for 'Removed queue option:' log entries and clean up
     corresponding entries in app.ini. We don't have any of these
     entries in our logs.
 * Remove unused setting time.FORMAT (#24430)
   * We didn't have this entry in app.ini.
 * Refactor setting.Other and remove unused SHOW_FOOTER_BRANDING (#24270)
   * This setting can be removed from app.ini, but we don't set it.
 * Correct the access log format (#24085)
   * We uncorrect it because they removed source port info in the
     correction step. They did this because some log parsers don't
     understand having the port info present, but if you are behind a
     reverse proxy this information is very important. We run gitea behind
     a reverse proxy.
 * Reserve ".png" suffix for user/org names (#23992)
   * .png is no longer a valid user/org name (it didn't work before
 * Prefer native parser for SSH public key parsing (#23798)
   * If you relied on the openssh ssh-keygen executable for public key
     parsing then you must explicitly set config to use it. I don't
     think we do as the golang native parser should handle the keytypes
     we use.
 * Editor preview support for external renderers (#23333)
   * This removed an app.ini settings we don't seem to set.
 * Add Gitea Profile Readmes (#23260)
   * Readmes in .profile repositories will always be shown now. We don't
     have .profiles repos so this doesn't affect us.
 * Refactor ctx in templates (#23105)
   * This affects custom templates as we may need to replace ctx with
     ctxData in our templates.
   * I've searched our templates for 'root', 'ctx', and 'ctxData' and
     have found no instances. Looking at the files modifying by the
     commits related to this change:
     we don't seem to override the affected files. I think we are fine
     as is.

The 1.20.1 changelog indicates there are no breaking changes, and git
diff shows no changes to the templates between 1.20.0 and 1.20.1.

The 1.20.2 changelog indicates there are no breaking changes, and git
diff shows no changes to the templates between 1.20.1 and 1.20.2.

The 1.20.3 changelog indicates there is a single breaking change:
 * Fix the wrong derive path (#26271) (#26318)
   * If I'm reading the code correctly, I think the problem was storage
     configuration inheriting the base storage config and particularly
     the related path. Then when archival storage looked for its config
     the path was the root gitea storage path and it would inadverdently
     delete all repos when deleting a single repo or something like
     that. We don't use these features and these are mirrors anyway so I
     don't think this really affects us.


Change-Id: I265f0ad16c0e757a11c1d889996ffe2198625a1a
2023-08-21 08:49:46 -07:00
Zuul 7011785925 Merge "dns: move tsig_key into common group variable" 2023-04-13 22:13:38 +00:00
Zuul 4a101da52a Merge "Refactor adns variables" 2023-04-13 02:31:48 +00:00
Ian Wienand a4efec61af
dns: move tsig_key into common group variable
The tsig_key value is a shared secret between the hidden-primary and
secondary servers to facilitate secure zone transfers.  Thus we should
store it once in the common "adns" group, rather than duplicating it
in the adns-primary and ads-secondary.

Change-Id: I600f1ecdfc06bda79b6a4ce77253f489ad515fa5
2023-04-13 11:38:01 +10:00
Zuul dda61d0321 Merge "Make etherpad configuration more generic for multiple hosts" 2023-04-10 23:16:53 +00:00
Clark Boylan ed1c7c94a3 Make etherpad configuration more generic for multiple hosts
This switches us to running the services against the etherpad group. We
also define vars in a group_vars file rather than a host specific
file. This allows us to switch testing over to etherpad99 to decouple it
from our production hostnames.

A followup change will add a new etherpad production server that will be
deployed alongside the existing one. This refactor makes that a bit

Change-Id: I838ad31eb74a3abfd02bbfa77c9c2d007d57a3d4
2023-04-05 08:36:27 -07:00
Ian Wienand adc47f5481
Upgrade Gerrit to version 3.7
This updates our base config to 3.7.  This should only be merged as
part of the update process described at

Change-Id: I9a1fc4a9f35ed0f60b9899cb9d08aa81995e640b
2023-04-04 13:42:43 +10:00
Ian Wienand b0d27692de
Refactor adns variables
Firstly, my understanding of "adns" is that it's short for
authoritative-dns; i.e. things related to our main non-recursive DNS
servers for the zones we manage.  The "a" is useful to distinguish
this from any sort of other dns services we might run for CI, etc.

The way we do this is with a "hidden" server that applies updates from
config management, which then notifies secondary public servers which
do a zone transfer from the primary.  They're all "authoritative" in
the sense they're not for general recursive queries.

As mentioned in Ibd8063e92ad7ff9ee683dcc7dfcc115a0b19dcaa, we
currently have 3 groups

 adns : the hidden primary bind server
 ns : the secondary public authoratitive servers
 dns : both of the above

This proposes a refactor into the following 3 groups

 adns-primary : hidden primary bind server
 adns-secondary : the secondary public authoritative servers
 adns : both of the above

This is meant to be a no-op; I just feel like this makes it a bit
clearer as to the "lay of the land" with these servers.  It will need
some considering of the hiera variables on bridge if we merge.

Change-Id: I9ffef52f27bd23ceeec07fe0f45f9fee08b5559a
2023-03-10 09:36:01 +11:00
Jeremy Stanley 049f8747c4 Final cleanup of internap/inap/iweb references
The last iteration of this donor environment was taken down at the
end of 2022, let's proceed with final config removal for it.

Change-Id: Icfa9a681f052f69d96fd76c6038a6cd8784d9d8d
2023-02-13 23:56:22 +00:00
Jeremy Stanley d5eee33b7d Finish cleaning up packethost references
We haven't used the Packethost donor environment in a very long
time, go ahead and clean up lingering references to it in our

Change-Id: I870f667d10cc38de3ee16be333665ccd9fe396b9
2023-02-13 23:56:21 +00:00
Jeremy Stanley f18e06e011 Farewell limestone
The mirror in our Limestone Networks donor environment is now
unreachable, but we ceased using this region years ago due to
persistent networking trouble and the admin hasn't been around for
roughly as long, so it's probably time to go ahead and say goodbye
to it.

Change-Id: Ibad440a3e9e5c210c70c14a34bcfec1fb24e07ce
2023-02-13 23:54:59 +00:00
Ian Wienand 8bf3bbba93
mailman: add variable for matching UAs in Apache
This allows us to quickly create a list of user agents we may not want
to crawl the site.

Change-Id: Ibbc84e0f7b529cd029770cc8ec3a3d82477734ce
2023-01-11 15:47:20 +11:00
Ian Wienand cf04bf38ab
linaro: add nodepool cloud configuration
This is authentication information for the new Linaro cloud we are

Change-Id: Ic174cb156dd3a59fe40f08d039389b3bfabddea4
2022-12-23 07:51:09 +11:00
Ian Wienand a9402901ab
Remove old nodepool.yaml testing variables
These dummy variables were for the nodepool.yaml template during
testing, but are no longer referenced.  Clean them up.

Change-Id: I717ab8f9b980b363fdddaa28e76cd269b1e4d876
2022-12-23 07:48:58 +11:00
Zuul 09a377232a Merge "launch: Automatically do RAX rdns updates when launching nodes" 2022-12-21 23:09:39 +00:00
Ian Wienand b5e72b4aa1
Linaro: initial cloud config
This is just enough to get the cloud-launcher working on the new
Linaro cloud.  It's a bit of a manual setup, and much newer hardware,
so trying to do things in small steps.

Change-Id: Ibd451e80bbc6ba6526ba9470ac48b99a981c1a8d
2022-12-21 10:40:49 +11:00
Clark Boylan 79e4232914 Update Gerrit to version 3.6
This should only be landed as part of our upgrade process. This change
will not upgrade Gerrit properly on its own.

Note, we keep Gerrit 3.5 image builds and 3.5 -> 3.6 upgrade jobs in
place until we are certain we won't roll back. Once we've crossed that
threshold we can drop 3.5 image builds, add 3.7 image builds, and update
the upgrade testing to perform a 3.6 -> 3.7 upgrade.

Change-Id: I40c4f96cc40edc5caeb32a1af80069ef784967fd
2022-12-12 10:48:16 -08:00
Ian Wienand 20d2643f74
launch: Automatically do RAX rdns updates when launching nodes
On the old bridge node we had some unmanaged venv's with a very old,
now unmaintained RAX DNS API interaction tool.

Adding the RDNS entries is fairly straight forward, and this small
tool is mostly a copy of some of the bits for our dns api backup tool.
It really just comes down to getting a token and making a post request
with the name/ip addresses.

When the cloud the node is launched as is identified as RAX, this will
automatically add the PTR records for the ip4 & 6 addresses.  It also
has an entrypoint to be called manually.

This is added and hacked in, along with a config file for the
appropriate account (I have added these details on bridge).

I've left the update of DNS entries as a manual
procedure.  Although they could be set automatically with small
updates to the tool (just a different POST) -- details like CNAMES,
etc. and the relatively few servers we start in the RAX mangaed DNS
domains means I think it's easier to just do manually via the web ui.
The output comment is updated.

Change-Id: I8a42afdd00be2595ca73819610757ce5d4435d0a
2022-12-01 11:26:32 +11:00
Ian Wienand cfdbec4b16
statusbot: add mastodon config options
The dependent change allows us to also post to mastodon.  Configure
this to point to fosstodon where we have an opendevinfra account.

Change-Id: Iafa8074a439315f3db74b6372c1c3181a159a474
2022-11-16 11:02:07 +11:00
Ian Wienand d4c46ecdef
Abstract name of bastion host for testing path
This replaces hard-coding of the host "" with
hard-coding of the first (and only) host in the group "bastion".

The idea here is that we can, as much as possible, simply switch one
place to an alternative hostname for the bastion such as
"" when we upgrade.  This is just the testing path,
for now; a follow-on will modify the production path (which doesn't
really get speculatively tested)

This needs to be defined in two places :

 1) We need to define this in the run jobs for Zuul to use in the
    playbooks/zuul/run-*.yaml playbooks, as it sets up and collects
    logs from the testing bastion host.

 2) The nested Ansible run will then use inventory

Various other places are updated to use this abstracted group as the
bastion host.

Variables are moved into the bastion group (which only has one host --
the actual bastion host) which means we only have to update the group
mapping to the new host.

This is intended to be a no-op change; all the jobs should work the
same, but just using the new abstractions.

Change-Id: Iffb462371939989b03e5d6ac6c5df63aa7708513
2022-10-20 09:00:43 +11:00
Ian Wienand e65928128b
Move clouds definitions into control-planes-clouds group
As a short history diversion, at one point we were trying building
diskimage-builder based images for upload to our control-plane
(instead of using upstream generic cloud images).  This didn't really
work because the long-lived production servers led to leaking images
and nodepool wasn't really meant to deal with this lifecycle.

Before this the only thing that needed credentials for the
control-plane clouds was bridge.
Id1161bca8f23129202599dba299c288a6aa29212 reworked things to have a
control-plane-clouds group which would have access to the credential

So at this point we added
zuul/templates/group_vars/control-plane-clouds.yaml.j2 with stub
variables for testing.

However, we also have the same cloud: variable with stub variables in
zuul/templates/host_vars/  This is
overriding the version from control-plane-clouds because it is more
specific (host variable).  Over time this has skewed from the
control-plane-clouds definition, but I think we have not noticed
because we are not updating the control-plane clouds on the non-bridge
(nodepool) nodes any more.

This is a long way of saying remove the bridge-specific definitions,
and just keep the stub variables in the control-plane-clouds group.

Change-Id: I6c1bfe7fdca27d6e34d9691099b0e1c6d30bb967
2022-10-20 09:00:41 +11:00
Clark Boylan fa9aca784d Update colibri for all the JVBs
We are currently running an all in one jitsi meet service at due to connectivity issues for colibri websockets to
the jvb servers. Before we open these up we need to configure the http
server for websockets on the jvbs to do tls as they are on different

Note it isn't entirely clear yet if a randomly generated keystore is
sufficient for the needs of the jvb colibri websocket system. If not we
may need to convert an LE provisioned cert and key pair into a keystore.

Change-Id: Ifbca19f1c112e30ee45975112863fc808db39fc9
2022-09-16 12:10:00 -07:00
Ian Wienand 55654851bc system-config-run-borg-backup: rename hosts to distro
Rename the testing hosts to be clearer that they are different

Change-Id: Ic4b2b4a1b1fa8bc9a9eb62dc2ccba529958f19cd
2022-08-11 13:32:49 +10:00
Ian Wienand 1c9dfc1fee gate-groups: remove old backup group
This was from the bup backup path, which has been removed.

Change-Id: If5f6dbd063564eac21f3c85c5eed608554c81b79
2022-08-10 10:14:56 +10:00
Ian Wienand a36ee527c8 system-config-run-borg-backup: add jammy test host
With Jammy production nodes coming, add testing to the backup roles on
this distro.

Change-Id: I7d7733c7a52918b1faa65c3d0dcfd2cf94e66066
2022-08-10 10:14:56 +10:00
Ian Wienand 08644ae925 mirror-update: move testing to mirror-update99
Keeping the testing nodes at the other end of the namespace separates
them from production hosts.  This one isn't really referencing itself
in testing like many others, but move it anyway.

Change-Id: I2130829a5f913f8c7ecd8b8dfd0a11da3ce245a9
2022-08-05 08:18:55 +10:00
Ian Wienand 5ba37ced60 paste: move certificate to group variable
Similar to Id98768e29a06cebaf645eb75b39e4dc5adb8830d, move the
certificate variables to the group definition file, so that we don't
have to duplicate handlers or definitions for the testing host.

Change-Id: I6650f5621a4969582f40700232a596d84e2b4a06
2022-08-05 08:18:55 +10:00
Ian Wienand 939233e4e4 paste : move testing host to paste99, remove https hacks
Move the paste testing server to paste99 to distinguish it in testing
from the actual production paste service.  Since we have certificates
setup now, we can directly test against "",
removing the insecure flags to various calls.

Change-Id: Ifd5e270604102806736dffa86dff2bf8b23799c5
2022-07-07 10:02:46 +10:00
Ian Wienand 72a0ad6d19 gitea-lb: test ssl connections during testing too
To make testing more like production, copy the OpenDev CA into the
haproxy container configuration directory during Zuul runs.  We then
update the testing configuration to use SSL checking like production
does with this cert.

Change-Id: I1292bc1aa4948c8120dada0f0fd7dfc7ca619afd
2022-07-07 10:02:46 +10:00
Ian Wienand 0d83dd3ea0 letsencrypt: selfsigned testing certs - use common CA, setup SAN
Some of our testing makes use of secure communication between testing
nodes; e.g. testing a load-balancer pass-through.  Other parts
"loop-back" but require flags like "curl --insecure" because the
self-signed certificates aren't trusted.

To make testing more realistic, create a CA that is distributed and
trusted by all testing nodes early in the Zuul playbook.  This then
allows us to sign local certificates created by the letsencrypt
playbooks with this trusted CA and have realistic peer-to-peer secure

The other thing this does is reworks the letsencrypt self-signed cert
path to correctly setup SAN records for the host.  This also improves
the "realism" of our testing environment.  This is so realistic that
it requires fixing the gitea playbook :).  The Apache service proxying
gitea currently has to override in testing to "localhost" because that
is all the old certificate covered; we can now just proxy to the
hostname directly for testing and production.

Change-Id: I3d49a7b683462a076263127018ec6a0f16735c94
2022-07-07 10:02:46 +10:00
Ian Wienand 28166a9755 gitea: fix loadbalancer forwarding in testing
We have moved to a situation where we proxy requests to gitea (3000)
via Apache listening on 3081 -- this is useful for layer 7 filtering
like matching on user-agents.

It seems like we missed some of this configuration in our
load-balancer testing.  Update the https forward on the load-balancer
to port 3081 on the gitea test host.

Also, remove the explicit port opening in the testing group_vars; for
some reason this was not opening port 3080 (http).  This will just use
the production settings when we don't override it.

Change-Id: Ic5690ed893b909a7e6b4074a1e5cd71ab0683ab4
2022-07-06 09:28:47 +10:00
Zuul 9854428ce0 Merge "gerrit: Update to 3.5 for production" 2022-06-19 21:40:27 +00:00
Clark Boylan a88adc4101 Auto update nodepool launchers
We previously auto updated nodepool builders but not launchers when new
container images were present. This created confusion over what versions
of nodepool opendev is running. Use the same behavior for both services
now and auto restart them both.

There is a small chance that we can pull in an update that breaks things
so we run serially to avoid the most egregious instances of this

Change-Id: Ifc3ca375553527f9a72e4bb1bdb617523a3f269e
2022-06-16 08:23:17 -07:00
Ian Wienand 0040465a45 gerrit: Update to 3.5 for production
This updates the gerrit configuration to deploy 3.5 in production.
For details of the upgrade process see:

Change-Id: I50c9c444ef9f798c97e5ba3dd426cc4d1f9446c1
2022-06-02 15:24:37 +10:00
Zuul 538a9a3e84 Merge "etherpad: remove session key" 2022-05-04 06:27:45 +00:00
Ian Wienand 29202eba1a zuul-lb : issue HEAD / checks
As found in Ie5d55b2a2d96a78b34d23cc6fbac62900a23fc37, the default for
this is to issue "OPTIONS /" which is kind of a weird request.  The
Zuul hosts currently seem to return the main page content in response
to a OPTIONS request, which probably isn't right.

Make this more robust by just using "HEAD /" request.

Change-Id: Ibbd32ae744af9c33aedd087a8146195844814b3f
2022-03-08 10:24:03 +11:00
Jeremy Stanley 4061acd3e7 Add check keyword to balance_zuul_https servers
Apparently the check-ssl option only modifies check behavior, but
does not actually turn it on. The check option also needs to be set
in order to activate checks of the server. See §5.2 of the haproxy
docs for details:;a=blob;f=doc/configuration.txt;h=e3949d1eebe171920c451b4cad1d5fcd07d0bfb5;hb=HEAD#l14396

Turn it on for all of our balance_zuul_https server entries.

Also set this on the gitea01 server entry in balance_git_https, so
we can make sure it's still seen as "up" once this change takes
effect. A follow-up change will turn it on for the other
balance_git_https servers out of an abundance of caution around that

Change-Id: I4018507f6e0ee1b5c30139de301e09b3ec6fc494
2022-03-07 18:11:46 +00:00
Clark Boylan f24bbf97a7 Do more robust checks against zuul-web with haproxy
Switch the port 80 and 443 endpoints over to doing http checks instead
of tcp checks. This ensures that both apache and the zuul-web backend
are functional before balancing to them.

The fingergw remains a tcp check.

Change-Id: Iabe2d7822c9ef7e4514b9a0eb627f15b93ad48e2
2022-03-04 14:17:51 -08:00
Clark Boylan df335525ab Haproxy http checks for Gitea
Previously we were only checking that Apache can open TCP connections to
determine if Gitea is up or down on a backend. This is insufficient
because Gitea itself may be down while Apache is up. In this situation
TCP connection to Apache will function, but if we make an HTTP request
we should get back an error.

To check if both Apache and Gitea are working properly we switch to
using http checks instead. Then if Gitea is down Apache can return a 500
and the Gitea backend will be removed from the pool. Similarly if Apache
is non functional the check will fail to connect via TCP.

Note we don't verify ssl certs for simplicity as checking these in
testing is not straightforward. We didn't have verification with the old
tcp checks so this isn't a regression, but does represent something we
could try and improve in the future.

Change-Id: Id47a1f9028c7575e8fbbd10fabfc9730095cb541
2022-02-15 09:59:52 -08:00
James E. Blair 2a9553ef25 Add Zuul load balancer
This adds a load balancer for zuul-web and fingergw.

Change-Id: Id5aa01151f64f3c85e1532ad66999ef9471c5896
2022-02-10 13:24:42 -08:00
James E. Blair 14f4a20628 Remove gearman from Zuul
Zuul no longer uses gearman, so we can remove the infrastructure
around it.

Change-Id: I3613d812971add4733d3fe509ee22835e5814ec6
2022-02-01 13:52:47 -08:00
James E. Blair 535b7162a1 Move Zuul SQL connection to "database"
The sql connection is no longer supported, we need to use "database"
instead.  The corresponding hostvars change has already been made
on bridge.

Change-Id: Ibcac56568f263bd50b2be43baa26c8c514c5272b
2022-01-27 16:46:32 -08:00
Clark Boylan 9bfacda1ac Upgrade Gerrit to 3.4
The actually upgrade will be performed manually, but this change will be
used to update the docker-compose.yaml file.

If we land this change prior to the upgrade then note the
manage-projects commands will be updated to use the 3.4 image possibly
while gerrit 3.3 is still running. I don't expect this to be a problem
as manage-projects operates via network protocols.

Change-Id: I5775f4518ec48ac984b70820ebd2e645213e702a
2022-01-24 10:54:54 -08:00
Zuul 2863b5a509 Merge "Use newlist's automate option" 2021-12-15 19:09:57 +00:00
Jeremy Stanley 759e285184 Use newlist's automate option
It appears that simply setting stdin to an empty string is
insufficient to make newlist calls from Ansible correctly look like
they're coming from a non-interactive shell. As it turns out, newer
versions of the command include a -a (--automate) option which does
exactly what we want: sends list admin notifications on creation
without prompting for manual confirmation.

Drop the test-time addition of -q to quell listadmin notifications,
as we now block outbound 25/tcp from nodes in our deploy tests. This
has repeatedly exposed a testing gap, where the behavior in
production was broken because of newlist processes hanging awaiting
user input even though we never experienced it in testing due to the
-q addition there.

Change-Id: I550ea802929235d55750c4d99c7d9beec28260f0
2021-12-15 17:42:58 +00:00
Zuul b044cba65a Merge "Block outbound SMTP connections from test jobs" 2021-12-14 20:46:12 +00:00
Jeremy Stanley e2dbda1bec Block outbound SMTP connections from test jobs
Our deployment tests don't need to send E-mail messages. More to the
point, they may perform actions which would like to send E-mail
messages. Make sure, at the network level, they'll be prevented from
doing so. Also allow all connections to egress from the loopback
interface, so that services like mailman can connect to the Exim MTA
on localhost.

Add new rolevars for egress rules to support this, and also fix up
some missing related vars in the iptables role's documentation.

Change-Id: If4acd2d3d543933ed1e00156cc83fe3a270612bd
2021-12-09 18:46:38 +00:00
James E. Blair dbc69021e2 Add zuul-client config to schedulers
This adds a zuul-client config file as well as a convenience script
to execute the docker container to the schedulers.

Change-Id: Ief167c6b7f0407f5eaebecde552e8d91eb3d4ab9
2021-12-07 14:26:29 -08:00
Zuul 5a2f1c7037 Merge "Add local auth provider to zuul" 2021-12-07 17:54:57 +00:00