The Limesurvey service hosted at survey.openstack.org was a beta
which saw limited use. The platform it runs on, Xenial, is now EOL
from Ubuntu/Canonical and in order to upgrade to a newer
distribution release we would need to rewrite all the configuration
management (the version of Puppet supported by newer Ubuntu is not
backward-compatible with what we've been running).
If a similar service becomes interesting to users of our
collaboratory in the future, it will need to be reintroduced with
freshly written configuration management anyway. The old configs and
documentation remain in our Git history should anyone wish to use
them as inspiration.
We are going to cleanup firehose.openstack.org as it never really ended
up being used for significant things and we would need to rewrite the
puppet into ansible at this point. Before we cleanup the server ensure
that things are not talking to it.
The only thing I can find that externally talks to it is the subunit
workers. germqtt and lpmqtt run on firehose so will be cleaned out when
firehose goes away.
Our Mailman site templates and similar content contain links to an
old openstack-security page on the foundation-run site which no
longer exists. Correct this to the OpenStack community's security
site, which should be much more stable.
delimited using double quotation marks - using double quotation
2) The anchor was unproperly closed causing void anchor to appear.
This is clearly visible on the rendered page.
The active releases according to  are octopus and nautlius. Remove
the old releases from our mirroring. This needs manual cleanup of the
jobs and volumes -- I will do this manually as this is mostly about
clearing out old things before moving the mirroring to Ansible.
Nobody maintains our askbot website, and questions there go
unanswered. In the spirit of simplification, make the site
read-only (so that old answers can still be found) and redirect
users to the openstack-discuss mailing-list and Stack Overflow
(which has a decent openstack community answering questions).
Read-only config values documented at:
Remove the separate "mirror_opendev" group and rename it to just
"mirror". Update various parts to reflect that change.
We no longer deploy any mirror hosts with puppet, remove the various
Due to a configuration issue, zuul.openstack.org is currently throwing
SSL validation errors. Update the status.openstack.org to the
canonical OpenStack tenant page directly.
This is a follow-up on nocanon from .
This ensures Apache does not filter any requests originally
containing encoded slashes.
As described in the dependent change, which removes the environment
var to set this up, this is no longer required.
We previously had two manually issued certs (one each for opendev.org
and openstack.org) but now have a single cert with all the appropriate
names in it automatically issued by LE. Use this new cert before the old
This reverts commit c25e91f496.
This script parses the Apache logs and writes out a local count of the
404 data to files.openstack.org, and then exports it via
As part of the spec  we're trying to remove publishing from local
volumes, in general.
Since this is not widely used, there is only one link to it, it's not
discoverable from the landing page of files.openstack.org (which just
shows the afs directory listing), it has a very long latency making it
not that useful for debugging and grepping the logs there have been no
accesses in the past 2 weeks (as far back as logs go) I propose we
If we want to retain this, we should publish the output alongside the
docs AFS volume. That could certainly be done by distributing the
docs keytab to the host and having it write out in a similar cron job.
Another option could be to setup a keypair for remote login and keep
that as a secret in Zuul, and do the same from a periodic job
(complicated by apache logs being root only, so needs some sudo magic
or similar). Or, we could figure out an altogether better, privacy
respecting client analytics solution.
This switches the zuul-ci.org/zuulci.org vhost to use newly issued
letsencrypt certs. It also does the same for git.zuul-ci.org, which
is a different vhost. Since that vhost is tied into a configuration
which can't accept cert file paths (only content), adjust it to use
the newer "website" manifest pattern which can.
Ceph Nautilus is released and the official mirror
is available. This adds the Ceph Nautilus mirror
so we can sync it for Stretch and Bionic.
Based on the same change that was done when Mimic
was released 
Sharing an updates file between the Debian and Ubuntu reprepro runs
causes some warnings, and is generally just unclean. They use
different release naming and repositories, so should just have
separate updates files to track them (they're already separate on
the server, they were just being copied from the same source file in
While here, remove the label and suite parameters from the Debian
reprepro distribution templates, as they're unnecessary and
potentially confusing (job nodes should never be relying on the
suite names as they change at the next release).
Also allow signatures from subkeys of the listed keys to be
sufficient to verify the debian-security mirror's release files,
like we do for the debian mirror.
This change adds a proxy config for quay which should assist
us when gating using images provided by the publically
Signed-off-by: Kevin Carter <email@example.com>
This is a follow on to I67870f6d439af2d2a63a5048ef52cecff3e75275 to do
the same for files.openstack.org (as
http://files.openstack.org/mirror/logs/ is a handy central place to
point people at)
This change adds a proxy config for registry.access.redhat which should
assist us when gating using images provided by the publically available
Signed-off-by: Kevin Carter <firstname.lastname@example.org>
This reverts commit b3ce1c52dc.
It removed the AFS mirror at the same time it added the proxy,
but jobs don't know to look for the proxy since it's on a
totally different TCP port.
To deal with puppet scoping fun we evaluate the template for our
files.o.o website vhosts in the context of the website define and not in
the context of httpd::vhost.
It doesn't seem like this is used anymore. Let's remove it before
we update the rest of this, so that we don't have to, you know,
update abandoned things.
Tumbleweed is only rarely used in the openStack CI, so mirroring it
fully is not worth the time/space overhead. a caching proxy
should be good enough. Add it to the directories to clean up
and remove the older entries because they will no longer be
The server has been removed, remove it from inventory.
While we're here, s/graphite.openstack.org/graphite.opendev.org/'
... it's a CNAME redirect but we might as well clean up.