2822 Commits

Author SHA1 Message Date
Clark Boylan
af653f3371 Pin py docker when installing docker-compose
Py docker 7.0.0 introduced an incompatibility with old python
docker-compose. Pin it to the older version to ensure compatibility.

Notes on the change can be found here:
  https://stackoverflow.com/questions/77641240/getting-docker-compose-typeerror-kwargs-from-env-got-an-unexpected-keyword-ar

And you can see our jobs installing the wrong version here and then
failing later:
  https://zuul.opendev.org/t/openstack/build/6575c9d7fb56463fa6e97b2a12d6f389/log/job-output.txt#16116-16117

Change-Id: I7ecf7c43b762855881c137e218adcc51e3a32444
2023-12-15 09:33:28 -08:00
Clark Boylan
4d25261bb6 Force borg backups to run over ipv4
We've recently been unable to backup from gitea09 to the vexxhost backup
server. Testing indicates that ipv6 connectivity between the two servers
is the likely issue. Address this by forcing all backups to run over
ipv4 instead of ipv6. We could restrict this to only gitea09 if we
wanted to and/or only when the vexxhost server is the target, but this
is the simplest way to make the change in the existing configuration
management.

Change-Id: Ic868ded7d923b822d757a57416f879fd59c003e9
2023-12-11 08:32:14 -08:00
Zuul
6ba06de8e4 Merge "Add gerrit 3.8 to 3.9 upgrade testing" 2023-12-07 17:59:08 +00:00
Zuul
21fd65e03f Merge "Add gerrit 3.9 image builds" 2023-12-07 17:59:06 +00:00
Zuul
c6b985eb7a Merge "Reapply "Switch Gerrit replication to a larger RSA key"" 2023-12-06 19:19:43 +00:00
Clark Boylan
70589a5a05 Reapply "Switch Gerrit replication to a larger RSA key"
This reverts commit d346d5375ffb70c3cea37def33f4d52887d8d276.

We make small edits to the .ssh/config file to make MINA ssh client
happy. In particular we need to use the path to the ssh key within the
Gerrit container and not on the host side.

This exact .ssh/config file has been tested on held nodes that appears
to properly replication from a test gerrit99 to a test gitea99 after
adding the pubkey to gerrit and accepting the hostkey for gitea on the
gerrit side.

Change-Id: I41caac08f6713ad385c98eea46fb004a414fab5d
2023-12-06 09:02:17 -08:00
Jeremy Stanley
b2c9c2f1e8 Increase jaeger startup timeout
Recently, jaeger has started taking around 80 seconds to listen on
its socket, resulting in deployment job failures. Double the timeout
to 120 seconds.

Change-Id: I1c53ba1a9282309d3f1f772221a5bff69f04d134
2023-12-06 16:42:50 +00:00
Zuul
73124ce1db Merge "Increase bridge's ansible ssh controlpersist timeout to 180s" 2023-12-05 22:42:05 +00:00
Zuul
8110f15ac3 Merge "Remove Ansible configuration and inventory entries for old mirror servers" 2023-12-05 22:42:03 +00:00
Zuul
d606636d2a Merge "Revert "Switch Gerrit replication to a larger RSA key"" 2023-12-05 20:09:49 +00:00
Tony Breeds
a9ad2b4468 Remove Ansible configuration and inventory entries for old mirror servers
Remove the old mirror nodes after we switched the workloads to newwer
jammy nodes in [1]

[1] https://review.opendev.org/c/opendev/zone-opendev.org/+/902100

Change-Id: Ib33f9ae4f0e993b14b0b5c0137af33b917ded386
2023-12-05 12:35:04 -06:00
Clark Boylan
a45afbeac5 Increase bridge's ansible ssh controlpersist timeout to 180s
There is an Ansible bug where if successive tasks are separated in time
by the ssh controlpersist timeout Ansible will race ssh's updates to the
connection causing the second task to fail with an rc of -13 [0].

Statistically we believe that the longer times between tasks are less
likely. This means ssh controlpersist timeout values that are larger
will be less likely to have ansible hit this bug. Increase the value
from a default of 60s to 180s to take advantage of this probability.

[0] https://github.com/ansible/ansible/issues/81777

Change-Id: Ic40730c3e0bd814e6a5c739e4415657594362032
2023-12-05 08:16:23 -08:00
Zuul
322e4694ed Merge "Add debugging info to certcheck list building" 2023-12-02 03:29:30 +00:00
Jeremy Stanley
d346d5375f Revert "Switch Gerrit replication to a larger RSA key"
Gerrit is unable to load the key, further testing is required to
figure out why.

This reverts commit 3ea2ca4bab1dc273d72ab3b0008d892f1fcd9407.

Change-Id: Ic169b2d0bf16c25caf7e61d824f5d6500147767c
2023-12-02 01:02:11 +00:00
Zuul
05500326d6 Merge "Switch Gerrit replication to a larger RSA key" 2023-12-02 00:00:15 +00:00
Clark Boylan
ca97f1e0d6 Add gerrit 3.8 to 3.9 upgrade testing
The Gerrit 3.9 release notes [0] indicate this is a very similar upgrade
to the previous 3.7 to 3.8 upgrade. Specifically we only need to run
init and online reindexing will occur on startup of the new version.
For this reason not much changes other than version numbers.

[0] https://www.gerritcodereview.com/3.9.html

Change-Id: I11f7b3d5e0c545d9b78fb656ea1f09fe57b5994e
2023-12-01 14:01:40 -08:00
Clark Boylan
aadce43971 Add gerrit 3.9 image builds
We need to add java-prettify to our submodule setup as this is a new
gerrit submodule. While we're in there we also cleanup some python
binary symlinks that were only necessary for Gerrit 3.5 and older.

The Gerrit 3.9.0 release was a bad release because it accidentally
updated lucene versions to far ahead of 3.8.x. This broke online
reindexing post upgrade from 3.8.x to 3.9.0. To address this the Gerrit
project pulled 3.9.0, reverted a bunch of stuff, made a 3.9.0-rc6, we
tested this (as did others), and when everything was working as expected
released 3.9.1 to replace 3.9.0. That is the reason we are starting our
image builds with 3.9.1 and not 3.9.0.

It should be noted that 3.9.0 should be entirely avoided as well.

Depends-On: https://review.opendev.org/c/openstack/project-config/+/901479
Change-Id: Ice2201ce5a7b3f560923dce84af2603bdc709ab9
2023-12-01 13:59:50 -08:00
Clark Boylan
3ea2ca4bab Switch Gerrit replication to a larger RSA key
This change is related to a similar change [0] in gitea that
adds/rotates public keys for the gerrit user in gitea. We should be
happy with the approach on both sides of the gitea and gerrit
replication interaction before proceeding.

This is motivated by changes in gitea that make it more picky about the
keys it will accept by default. Rather than disable those checks we're
switching keys to be more acceptable.

The end result is the use of 4096 bit RSA keys. We did consider ed25519
keys but there is concern that the Gerrit replication plugin may not be
able to handle them as they only come in the new openssh key file
format. The replication plugin docs indicate PEM format should be used
instead. It is possible that new MINA in gerrit handles this fine but we
stick with what we know works to avoid problems.

[0] https://review.opendev.org/c/opendev/system-config/+/901082

Change-Id: I36704b7f8c0710fb5142153f99418eb200860bee
2023-11-30 11:11:39 -08:00
Zuul
1d75147a4e Merge "Add inventory/LE records for mirror02.dfw.rax" 2023-11-30 19:00:36 +00:00
Zuul
5cd1418420 Merge "Add inventory/LE records for mirror02.bhs1.ovh and mirror03.gra1.ovh" 2023-11-30 19:00:34 +00:00
Zuul
89909790b2 Merge "Add ssh key rotation to gitea ssh key management" 2023-11-29 23:53:18 +00:00
Zuul
e20dae2a00 Merge "Add openstack.org to certcheck domains" 2023-11-28 21:35:41 +00:00
Tony Breeds
f4833462e6 Add inventory/LE records for mirror02.dfw.rax
Depends-On: https://review.opendev.org/c/opendev/zone-opendev.org/+/902007
Change-Id: I339038db5a79ccec5dd224b42f25181c1294256b
2023-11-28 11:09:01 -06:00
Tony Breeds
c48c2f533b Add inventory/LE records for mirror02.bhs1.ovh and mirror03.gra1.ovh
Depends-On: https://review.opendev.org/c/opendev/zone-opendev.org/+/901627
Change-Id: Ic54ef48473f29658751ec81937384fd63049112e
2023-11-28 11:09:01 -06:00
Zuul
d19c26a024 Merge "Cleanup the Fedora 36 mirror content" 2023-11-22 06:26:40 +00:00
Clark Boylan
0901c4509b Cleanup the Fedora 36 mirror content
This is mostly a formality as upstream of us the content was already
removed and we synced that removal. But this will do a little extra
cleanup for us to make it look even less like a mirror of Fedora 36.

I also kept the structure of the file rather than deleting the code to
sync Fedora content. This should make it easy for someone to pick this
back up in the future if there is a need and ability to maintain it.

Change-Id: I976304727a06bd36eb05201043aac3861ee66937
2023-11-21 09:10:52 -08:00
Clark Boylan
c17fe1155a Switch gerrit 3.7 image to 3.8 in a couple places we missed
One spot is a default for testing that I'm pretty sure we override
everywhere anyway and the other is the resource requirement for the
infra-prod deployment job. Neither are critical, but good to have both
up to date after our upgrade.

Change-Id: If74ec2707cfadff1772596891e5a2783e83eb01b
2023-11-20 08:07:39 -08:00
Zuul
6b534d67cc Merge "Upgrade Gerrit to Gerrit 3.8" 2023-11-17 18:32:06 +00:00
Clark Boylan
c843085a02 Add ssh key rotation to gitea ssh key management
This change refactors how gerrit's key(s) in gitea are managed. The
motivation behind this is to allow us to do key rotation with overlap in
accepted keys. To do this we first check whcih keys are present. Then
any missing keys are added. Finally we remove any keys which are not in
our key options.

This also corrects a bug where replacing keys would've required two
Ansible passed to delete the old key then add the new key. All keys
should be properly set in a single Ansible pass with this update.

Change-Id: I1eaf5ae89542e3e4f479c77e4df72a34d65d9c46
2023-11-15 15:12:19 -08:00
Zuul
b24a3c3232 Merge "Add letsencrypt_certs for mirror02.ord" 2023-11-15 15:02:36 +00:00
James E. Blair
3d5c2a810e Revert registry.zuul-ci.org
This project didn't proceed past the test phase,
let's clean it up.

Revert "Add a functional test for registry.zuul-ci.org"
This reverts commit e701fdd3ca1d798bd912b19e91e154e8a88f43b8.

Revert "Add testinfra for registry.zuul-ci.org"
This reverts commit e00f4e59b39cabc3e33823a957d3623dce06f9c4.

Revert "Add static site for registry.zuul-ci.org"
This reverts commit 31b505d3ba29f751b8f02ff365ee6de6b5d350f9.

Revert "Add SSL cert for registry.zuul-ci.org"
This reverts commit d0a8473d42bb0ee3ab1cc8bffbf5bb2fea90f755.

Change-Id: I1d39306187c7b2d7a908389f88d1a60e1b29ffe3
2023-11-14 16:05:28 -08:00
Tony Breeds
d31288a2e6 Add letsencrypt_certs for mirror02.ord
In 900923[1] adding the letsencrypt_certs and associated handler was
missed #oops

This change fixes that.

[1] https://review.opendev.org/c/opendev/system-config/+/900923

Change-Id: Ieb7b87c11cffa2a3449b4d8f6438a8972e52fb16
2023-11-14 16:38:10 -06:00
Zuul
bd844f01fb Merge "Update Etherpad settings from upstream" 2023-11-02 16:51:15 +00:00
Zuul
014ef1be7a Merge "Upgrade to latest Mailman 3 releases" 2023-11-02 15:51:25 +00:00
Zuul
f1c7d7a8de Merge "Add a jammy test node for regional mirrors" 2023-11-01 22:21:40 +00:00
Jeremy Stanley
09d89298e3 Update Etherpad settings from upstream
Refresh our versions of settings.json.docker and
settings.json.template from upstream, incorporating our local
preferences as edits to the latter (the former is included in the
container image we publish but the latter gets mapped over it during
deployment).

Changes to the required version of node-log4js in Etherpad 1.9.4
will invalidate our custom logging configuration and error out,
preventing the service from starting, so go ahead and remove it now.

Change-Id: Ic05ed9be7b6900ba9cdfa09b28600bcd55b770fd
2023-11-01 18:49:05 +00:00
Tony Breeds
f223a237a2 Add a jammy test node for regional mirrors
Change-Id: I922af92e523407b7324f020732fad52b98f027e1
2023-10-31 18:27:59 -05:00
Jeremy Stanley
89d01144a1 Clean up old Mailman v2 roles and vars
Now that we no longer run a Mailman v2 server, we can drop all the
automation we used for deploying and maintaining it.

Change-Id: I522cdbef86d1fe491d446e4b721a7873564c927a
2023-10-31 18:20:12 +00:00
Zuul
ce24cd6a23 Merge "Merge production and test node mailman configs" 2023-10-31 17:03:58 +00:00
Zuul
5b837c1799 Merge "Convert commentlinks to new no html system" 2023-10-30 20:18:38 +00:00
Jeremy Stanley
73f0a5336a Merge production and test node mailman configs
Now that the Mailman v3 migration is complete, we no longer need any
divergence between the lists01 (production) and lists99 (test node)
host vars, so put everything into the group vars file instead.

Change-Id: If92943694e95ef261fbd254eff65a51d8d3f7ce5
2023-10-30 19:26:03 +00:00
Clark Boylan
33a4508616 Upgrade Gerrit to Gerrit 3.8
Note this should only be merged after the manual upgrade process is
completed. We still don't have that automated yet, but do eventually
need our config management to match what we've updated by hand.

Change-Id: I721228637ceaab47263afbae6522da0166d6ed27
2023-10-30 09:41:17 -07:00
Jeremy Stanley
b312e15b57 Upgrade to latest Mailman 3 releases
New releases info:

https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/thread/4U5AP7GZ76NYQONACUVPDHSJBLLBSENL/

Sync all our forked files from mailman-docker to the current
upstream state, except for our overridden hyperkitty->archives and
postorius->mailman3 URL routes in
docker/mailman/web/mailman-web/urls.py.

Change-Id: I3b3955c8b2b91f167510c8a1122d9d8e2d620082
2023-10-29 16:28:43 +00:00
Zuul
31a430db07 Merge "Revert "Cap ruamel.yaml install for ARA"" 2023-10-26 22:10:14 +00:00
Zuul
b79818feae Merge "Add OpenInfra EU mailing lists" 2023-10-25 16:42:34 +00:00
Zuul
5d0f944c3e Merge "Update to Ansible 8 on bridge" 2023-10-25 16:25:10 +00:00
Clark Boylan
5aec9da11e Revert "Cap ruamel.yaml install for ARA"
This reverts commit a77eebe911b9651575c32dec8cb5ac84e4057192.

Ruamel.yaml 0.18.2 converted the error assocaited with the use of this
deprecated method from a sys.exit(1) to a raised Exception. It is
believed that this will allow Ara to run in some capacity and we don't
need to pin this dependency anymore.

More details in the upstream bug here:

  https://github.com/ansible-community/ara/issues/524

Change-Id: I694b8a016755d828490f0bcf4c6ceb812edf43d9
2023-10-25 09:04:57 -07:00
Jeremy Stanley
704321653b Add OpenInfra EU mailing lists
The OpenInfra Foundation executive team is requesting creation of
new mailing lists on lists.openinfra.dev for the foundation's new EU
hub. One list will have an open subscription policy and publicly
available archives, while the other will be utilized by the advisory
board for any sensitive topics that must be kept private.

Change-Id: I138bcdddd8b8feeb94adb71f0ba5e03d8c809e20
2023-10-25 15:31:37 +00:00
Clark Boylan
a77eebe911 Cap ruamel.yaml install for ARA
ARA is not compatible with latest ruamel.yaml which leads to errors
running ansible. Fix this by capping the ruamel.yaml version we install.

Change-Id: Ia5db3ba8579e7e5c1fe375b156323b94f341ad3e
2023-10-24 09:44:16 -07:00
Clark Boylan
8f9b1f2c9c Convert commentlinks to new no html system
Gerrit 3.8 drops support for html in commentlinks entirely. Gerrit 3.7
supports both html and the new non html system. Update our 3.7
installation to the new system on 3.7 so that we are ready for the
Gerrit 3.8 upgrade later.

Most of our comment links did not use html entries so we drop the html
lines entirely. A single commentlink does use html and there we convert
it to the new prefix, link, text, suffix system. More details can be
found here:

  https://gerrit.googlesource.com/gerrit/+/refs/tags/v3.8.2/tools/migration/html_to_link_commentlink.md

This should be a 1:1 mapping for our config and not change any behavior.

Change-Id: I0b87aac7b90814d242338be8fd03cfc9a76200f7
2023-10-23 14:03:06 +00:00