The Limesurvey service hosted at survey.openstack.org was a beta
which saw limited use. The platform it runs on, Xenial, is now EOL
from Ubuntu/Canonical and in order to upgrade to a newer
distribution release we would need to rewrite all the configuration
management (the version of Puppet supported by newer Ubuntu is not
backward-compatible with what we've been running).
If a similar service becomes interesting to users of our
collaboratory in the future, it will need to be reintroduced with
freshly written configuration management anyway. The old configs and
documentation remain in our Git history should anyone wish to use
them as inspiration.
Change-Id: I59b419cf112d32f20084ab93eb6f2417a7f93fdb
We are going to cleanup firehose.openstack.org as it never really ended
up being used for significant things and we would need to rewrite the
puppet into ansible at this point. Before we cleanup the server ensure
that things are not talking to it.
The only thing I can find that externally talks to it is the subunit
workers. germqtt and lpmqtt run on firehose so will be cleaned out when
firehose goes away.
Change-Id: I5b657aad1a276a18e58d09f5b2108940d0bd8ac2
Our Mailman site templates and similar content contain links to an
old openstack-security page on the foundation-run site which no
longer exists. Correct this to the OpenStack community's security
site, which should be much more stable.
Change-Id: I9577540319c53f76afc40a33b2c5697280397149
1) The string is interpolated into JavaScript string which is
delimited using double quotation marks - using double quotation
marks in it breaks JavaScript parsing. The impact is unknown
but at least some JavaScript code does not get executed later.
2) The anchor was unproperly closed causing void anchor to appear.
This is clearly visible on the rendered page.
Change-Id: I90cdcdd81c6af67f940c1811b1b9c05f9309ba15
We can rely on Require instead of Order, Allow, Deny, Satisfy since we
are all on apache 2.4 now. This simplifies reasoning about acl rules.
Change-Id: Idedba1558ccaa1c753d1175e356bf26a8d4b1084
The active releases according to [1] are octopus and nautlius. Remove
the old releases from our mirroring. This needs manual cleanup of the
jobs and volumes -- I will do this manually as this is mostly about
clearing out old things before moving the mirroring to Ansible.
[1] https://docs.ceph.com/en/latest/releases/
Change-Id: I050f737521fa6837f3b6b52b8028a839a29f7bd2
Nobody maintains our askbot website, and questions there go
unanswered. In the spirit of simplification, make the site
read-only (so that old answers can still be found) and redirect
users to the openstack-discuss mailing-list and Stack Overflow
(which has a decent openstack community answering questions).
Read-only config values documented at:
https://github.com/ASKBOT/askbot-devel/blob/master/askbot/conf/access_control.py
Change-Id: I33d9d7c87a5a17138fcdc37ee8f8b16cda2248d5
Remove the separate "mirror_opendev" group and rename it to just
"mirror". Update various parts to reflect that change.
We no longer deploy any mirror hosts with puppet, remove the various
configuration files.
Depends-On: https://review.opendev.org/728345
Change-Id: Ia982fe9cb4357447989664f033df976b528aaf84
Due to a configuration issue, zuul.openstack.org is currently throwing
SSL validation errors. Update the status.openstack.org to the
canonical OpenStack tenant page directly.
Change-Id: Idf08e140de11126061cb6f9783d13dc64fefff60
This is a follow-up on nocanon from [1].
This ensures Apache does not filter any requests originally
containing encoded slashes.
[1] I5a3a6551536e2d1e87aa074e0de7619a367b1971
Change-Id: I94fcb67a914da6ab4d6e1bfd0a2e02121d22559c
Kolla Monasca Grafana images are currently not buildable in CI
due to:
404 Not Found - GET http://mirror.bhs1.ovh.openstack.org:8080/registry.npmjs/@types%2fcolor-name
The url-escaped slash gets mangled by Apache on its way to
registry which causes 404.
This patch fixes that.
Change-Id: I5a3a6551536e2d1e87aa074e0de7619a367b1971
As described in the dependent change, which removes the environment
var to set this up, this is no longer required.
Story: #2006598
Task: #39014
Change-Id: I93455dd1512aeb9111feaf516abfb60695976663
Depends-On: https://review.opendev.org/714543
We previously had two manually issued certs (one each for opendev.org
and openstack.org) but now have a single cert with all the appropriate
names in it automatically issued by LE. Use this new cert before the old
one expires.
Change-Id: I635d2bfd820fe138ee951833dd66f157b2b7c097
This reverts commit c25e91f496.
This script parses the Apache logs and writes out a local count of the
404 data to files.openstack.org, and then exports it via
files.openstack.org.
As part of the spec [1] we're trying to remove publishing from local
volumes, in general.
Since this is not widely used, there is only one link to it, it's not
discoverable from the landing page of files.openstack.org (which just
shows the afs directory listing), it has a very long latency making it
not that useful for debugging and grepping the logs there have been no
accesses in the past 2 weeks (as far back as logs go) I propose we
remove it.
If we want to retain this, we should publish the output alongside the
docs AFS volume. That could certainly be done by distributing the
docs keytab to the host and having it write out in a similar cron job.
Another option could be to setup a keypair for remote login and keep
that as a secret in Zuul, and do the same from a periodic job
(complicated by apache logs being root only, so needs some sudo magic
or similar). Or, we could figure out an altogether better, privacy
respecting client analytics solution.
[1] https://docs.opendev.org/opendev/infra-specs/latest/specs/retire-static.html
Depends-On: https://review.opendev.org/709036
Change-Id: Iccf24a72cf82592bae8c699f9f857aa54fc74f10
This switches the zuul-ci.org/zuulci.org vhost to use newly issued
letsencrypt certs. It also does the same for git.zuul-ci.org, which
is a different vhost. Since that vhost is tied into a configuration
which can't accept cert file paths (only content), adjust it to use
the newer "website" manifest pattern which can.
Change-Id: I0cd0407754466327147917390c578da336e61269
This will allow Kolla to run Ubuntu/arm64 CI jobs.
https://review.opendev.org/701121 fails without it.
Change-Id: Ia697fa4ceb8bfb0ee879e167a3b9d7c4b2e50807
Ceph Nautilus is released and the official mirror
is available. This adds the Ceph Nautilus mirror
so we can sync it for Stretch and Bionic.
Based on the same change that was done when Mimic
was released [1]
[1] https://review.opendev.org/#/c/571989/
Change-Id: I9424d1f4df58acde8ea70dc16283d4de89189bae
Sharing an updates file between the Debian and Ubuntu reprepro runs
causes some warnings, and is generally just unclean. They use
different release naming and repositories, so should just have
separate updates files to track them (they're already separate on
the server, they were just being copied from the same source file in
the module).
While here, remove the label and suite parameters from the Debian
reprepro distribution templates, as they're unnecessary and
potentially confusing (job nodes should never be relying on the
suite names as they change at the next release).
Also allow signatures from subkeys of the listed keys to be
sufficient to verify the debian-security mirror's release files,
like we do for the debian mirror.
Change-Id: Id0ff476864f936bbd7c4637f3dc9e2c219c6e465
This change adds a proxy config for quay which should assist
us when gating using images provided by the publically
available registry.
Change-Id: I971705e59724e70bd9d42a6920cf4f883556f673
Signed-off-by: Kevin Carter <kecarter@redhat.com>
This is a follow on to I67870f6d439af2d2a63a5048ef52cecff3e75275 to do
the same for files.openstack.org (as
http://files.openstack.org/mirror/logs/ is a handy central place to
point people at)
Change-Id: I07c707d45ab3e3c6f87460b3346efd7026467c56
This change adds a proxy config for registry.access.redhat which should
assist us when gating using images provided by the publically available
registry.
Change-Id: Ica7477d63659610de852d305a63f3e78d0dd8c4f
Signed-off-by: Kevin Carter <kecarter@redhat.com>
This reverts commit b3ce1c52dc.
It removed the AFS mirror at the same time it added the proxy,
but jobs don't know to look for the proxy since it's on a
totally different TCP port.
Change-Id: I87cc03eb3322bd7b093dd6fe798aadb48f319805
To deal with puppet scoping fun we evaluate the template for our
files.o.o website vhosts in the context of the website define and not in
the context of httpd::vhost.
Change-Id: I90bb881eb6ad78cede3a8a2548e1dfcf24e1160b
It doesn't seem like this is used anymore. Let's remove it before
we update the rest of this, so that we don't have to, you know,
update abandoned things.
Change-Id: I1c3708021046a428da82eaa843961091915ba4af
Tumbleweed is only rarely used in the openStack CI, so mirroring it
fully is not worth the time/space overhead. a caching proxy
should be good enough. Add it to the directories to clean up
and remove the older entries because they will no longer be
matching.
Change-Id: I987da098cf4a7330cdec8da9ae3cfbff2f330bf8
There are many references to review.openstack.org, and while the
redirect should work, we can also go ahead and fix them.
Change-Id: I28f398796a6392a3dffea1d25cfe2ae3a36a3589
The server has been removed, remove it from inventory.
While we're here, s/graphite.openstack.org/graphite.opendev.org/'
... it's a CNAME redirect but we might as well clean up.
Change-Id: I36c951c85316cd65dde748b1e50ffa2e058c9a88
Ian Wienand