We've recently been unable to backup from gitea09 to the vexxhost backup
server. Testing indicates that ipv6 connectivity between the two servers
is the likely issue. Address this by forcing all backups to run over
ipv4 instead of ipv6. We could restrict this to only gitea09 if we
wanted to and/or only when the vexxhost server is the target, but this
is the simplest way to make the change in the existing configuration
management.
Change-Id: Ic868ded7d923b822d757a57416f879fd59c003e9
This reverts commit d346d5375ffb70c3cea37def33f4d52887d8d276.
We make small edits to the .ssh/config file to make MINA ssh client
happy. In particular we need to use the path to the ssh key within the
Gerrit container and not on the host side.
This exact .ssh/config file has been tested on held nodes that appears
to properly replication from a test gerrit99 to a test gitea99 after
adding the pubkey to gerrit and accepting the hostkey for gitea on the
gerrit side.
Change-Id: I41caac08f6713ad385c98eea46fb004a414fab5d
Recently, jaeger has started taking around 80 seconds to listen on
its socket, resulting in deployment job failures. Double the timeout
to 120 seconds.
Change-Id: I1c53ba1a9282309d3f1f772221a5bff69f04d134
There is an Ansible bug where if successive tasks are separated in time
by the ssh controlpersist timeout Ansible will race ssh's updates to the
connection causing the second task to fail with an rc of -13 [0].
Statistically we believe that the longer times between tasks are less
likely. This means ssh controlpersist timeout values that are larger
will be less likely to have ansible hit this bug. Increase the value
from a default of 60s to 180s to take advantage of this probability.
[0] https://github.com/ansible/ansible/issues/81777
Change-Id: Ic40730c3e0bd814e6a5c739e4415657594362032
Gerrit is unable to load the key, further testing is required to
figure out why.
This reverts commit 3ea2ca4bab1dc273d72ab3b0008d892f1fcd9407.
Change-Id: Ic169b2d0bf16c25caf7e61d824f5d6500147767c
The Gerrit 3.9 release notes [0] indicate this is a very similar upgrade
to the previous 3.7 to 3.8 upgrade. Specifically we only need to run
init and online reindexing will occur on startup of the new version.
For this reason not much changes other than version numbers.
[0] https://www.gerritcodereview.com/3.9.html
Change-Id: I11f7b3d5e0c545d9b78fb656ea1f09fe57b5994e
We need to add java-prettify to our submodule setup as this is a new
gerrit submodule. While we're in there we also cleanup some python
binary symlinks that were only necessary for Gerrit 3.5 and older.
The Gerrit 3.9.0 release was a bad release because it accidentally
updated lucene versions to far ahead of 3.8.x. This broke online
reindexing post upgrade from 3.8.x to 3.9.0. To address this the Gerrit
project pulled 3.9.0, reverted a bunch of stuff, made a 3.9.0-rc6, we
tested this (as did others), and when everything was working as expected
released 3.9.1 to replace 3.9.0. That is the reason we are starting our
image builds with 3.9.1 and not 3.9.0.
It should be noted that 3.9.0 should be entirely avoided as well.
Depends-On: https://review.opendev.org/c/openstack/project-config/+/901479
Change-Id: Ice2201ce5a7b3f560923dce84af2603bdc709ab9
This change is related to a similar change [0] in gitea that
adds/rotates public keys for the gerrit user in gitea. We should be
happy with the approach on both sides of the gitea and gerrit
replication interaction before proceeding.
This is motivated by changes in gitea that make it more picky about the
keys it will accept by default. Rather than disable those checks we're
switching keys to be more acceptable.
The end result is the use of 4096 bit RSA keys. We did consider ed25519
keys but there is concern that the Gerrit replication plugin may not be
able to handle them as they only come in the new openssh key file
format. The replication plugin docs indicate PEM format should be used
instead. It is possible that new MINA in gerrit handles this fine but we
stick with what we know works to avoid problems.
[0] https://review.opendev.org/c/opendev/system-config/+/901082
Change-Id: I36704b7f8c0710fb5142153f99418eb200860bee
This is mostly a formality as upstream of us the content was already
removed and we synced that removal. But this will do a little extra
cleanup for us to make it look even less like a mirror of Fedora 36.
I also kept the structure of the file rather than deleting the code to
sync Fedora content. This should make it easy for someone to pick this
back up in the future if there is a need and ability to maintain it.
Change-Id: I976304727a06bd36eb05201043aac3861ee66937
One spot is a default for testing that I'm pretty sure we override
everywhere anyway and the other is the resource requirement for the
infra-prod deployment job. Neither are critical, but good to have both
up to date after our upgrade.
Change-Id: If74ec2707cfadff1772596891e5a2783e83eb01b
This change refactors how gerrit's key(s) in gitea are managed. The
motivation behind this is to allow us to do key rotation with overlap in
accepted keys. To do this we first check whcih keys are present. Then
any missing keys are added. Finally we remove any keys which are not in
our key options.
This also corrects a bug where replacing keys would've required two
Ansible passed to delete the old key then add the new key. All keys
should be properly set in a single Ansible pass with this update.
Change-Id: I1eaf5ae89542e3e4f479c77e4df72a34d65d9c46
This project didn't proceed past the test phase,
let's clean it up.
Revert "Add a functional test for registry.zuul-ci.org"
This reverts commit e701fdd3ca1d798bd912b19e91e154e8a88f43b8.
Revert "Add testinfra for registry.zuul-ci.org"
This reverts commit e00f4e59b39cabc3e33823a957d3623dce06f9c4.
Revert "Add static site for registry.zuul-ci.org"
This reverts commit 31b505d3ba29f751b8f02ff365ee6de6b5d350f9.
Revert "Add SSL cert for registry.zuul-ci.org"
This reverts commit d0a8473d42bb0ee3ab1cc8bffbf5bb2fea90f755.
Change-Id: I1d39306187c7b2d7a908389f88d1a60e1b29ffe3
Refresh our versions of settings.json.docker and
settings.json.template from upstream, incorporating our local
preferences as edits to the latter (the former is included in the
container image we publish but the latter gets mapped over it during
deployment).
Changes to the required version of node-log4js in Etherpad 1.9.4
will invalidate our custom logging configuration and error out,
preventing the service from starting, so go ahead and remove it now.
Change-Id: Ic05ed9be7b6900ba9cdfa09b28600bcd55b770fd
Now that we no longer run a Mailman v2 server, we can drop all the
automation we used for deploying and maintaining it.
Change-Id: I522cdbef86d1fe491d446e4b721a7873564c927a
Now that the Mailman v3 migration is complete, we no longer need any
divergence between the lists01 (production) and lists99 (test node)
host vars, so put everything into the group vars file instead.
Change-Id: If92943694e95ef261fbd254eff65a51d8d3f7ce5
Note this should only be merged after the manual upgrade process is
completed. We still don't have that automated yet, but do eventually
need our config management to match what we've updated by hand.
Change-Id: I721228637ceaab47263afbae6522da0166d6ed27
This reverts commit a77eebe911b9651575c32dec8cb5ac84e4057192.
Ruamel.yaml 0.18.2 converted the error assocaited with the use of this
deprecated method from a sys.exit(1) to a raised Exception. It is
believed that this will allow Ara to run in some capacity and we don't
need to pin this dependency anymore.
More details in the upstream bug here:
https://github.com/ansible-community/ara/issues/524
Change-Id: I694b8a016755d828490f0bcf4c6ceb812edf43d9
The OpenInfra Foundation executive team is requesting creation of
new mailing lists on lists.openinfra.dev for the foundation's new EU
hub. One list will have an open subscription policy and publicly
available archives, while the other will be utilized by the advisory
board for any sensitive topics that must be kept private.
Change-Id: I138bcdddd8b8feeb94adb71f0ba5e03d8c809e20
ARA is not compatible with latest ruamel.yaml which leads to errors
running ansible. Fix this by capping the ruamel.yaml version we install.
Change-Id: Ia5db3ba8579e7e5c1fe375b156323b94f341ad3e
Gerrit 3.8 drops support for html in commentlinks entirely. Gerrit 3.7
supports both html and the new non html system. Update our 3.7
installation to the new system on 3.7 so that we are ready for the
Gerrit 3.8 upgrade later.
Most of our comment links did not use html entries so we drop the html
lines entirely. A single commentlink does use html and there we convert
it to the new prefix, link, text, suffix system. More details can be
found here:
https://gerrit.googlesource.com/gerrit/+/refs/tags/v3.8.2/tools/migration/html_to_link_commentlink.md
This should be a 1:1 mapping for our config and not change any behavior.
Change-Id: I0b87aac7b90814d242338be8fd03cfc9a76200f7