f4d43af312
As discussed in the thread mentioned inline, this pins the ipv6 configuration to avoid listening to RA's on the review02 server. Change-Id: I17b0e049fcc1e975e8b4383957b020c11d9b89f0
62 lines
2.3 KiB
YAML
62 lines
2.3 KiB
YAML
- hosts: "review:!disabled"
|
|
name: "Configure gerrit"
|
|
roles:
|
|
- iptables
|
|
- install-docker
|
|
- gerrit
|
|
|
|
# NOTE(ianw) 2021-03-30 : This is just temporary to facilitate bulk
|
|
# data transfer of data between the old and new server.
|
|
- hosts: "review01.openstack.org"
|
|
name: Setup remote gerrit
|
|
tasks:
|
|
- name: Install rrsync
|
|
shell:
|
|
cmd: |
|
|
mkdir /home/gerrit2/bin/
|
|
gunzip /usr/share/doc/rsync/scripts/rrsync.gz -c > /home/gerrit2/bin/rrsync
|
|
chmod a+x /home/gerrit2/bin/rrsync
|
|
creates: '/home/gerrit2/bin/rrsync'
|
|
|
|
- name: Install review02.opendev.org copying key
|
|
authorized_key:
|
|
user: gerrit2
|
|
state: present
|
|
key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVuhTMAz1H2Jr9AC3py9A0vlNna6Sdt4yrvZOayxukPqQ7GPZd+Mo7MVyypxLD479N2mA09JAdsbq1eTiPP8ksEkB+dNxZzw8mY1653R/IXSW6J9xPcoDa88HF2s/xHN24IWzgiDjNNe79AQ+sKleByEQZ++xXny3MRpy258hKUvAtjjOLOnM1PBs8JNOzBL+UPgWRgSX6GG0qywJZqjD1Qx5kvH9RTRLi+tcMhEi4laN7BYvn4csY0sYzTzPG4ZTu3ootIJoRlQGtQ0LmoFO1vSwyEJUags6/ZZGjgy3jl3kwcU/b8ZnFlF4MDw1OB1QqMb4r6bMHbXNIupp4zJbz'
|
|
key_options: 'command="/home/gerrit2/bin/rrsync -ro /home/gerrit2",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty'
|
|
|
|
# NOTE(ianw) 2021-04-09 This is a workaround for RA leaks seen in
|
|
# vexxhost which is currently unresolved. This pins the ipv6 config
|
|
# and ensures we don't listen to RA's. See:
|
|
# http://lists.opendev.org/pipermail/service-discuss/2021-April/000200.html
|
|
# https://launchpad.net/bugs/1844712
|
|
- hosts: "review02.opendev.org"
|
|
tasks:
|
|
- name: Install RA rejection
|
|
copy:
|
|
dest: '/etc/netplan/50-cloud-init.yaml'
|
|
owner: 'root'
|
|
group: 'root'
|
|
mode: '0644'
|
|
content: |
|
|
network:
|
|
version: 2
|
|
ethernets:
|
|
ens3:
|
|
dhcp4: true
|
|
dhcp6: false
|
|
accept-ra: false
|
|
addresses:
|
|
- '2604:e100:1:0:f816:3eff:fe52:22de/64'
|
|
routes:
|
|
- to: '::/0'
|
|
via: 'fe80::ce2d:e0ff:fe0f:74af'
|
|
metric: 100
|
|
- to: '::/0'
|
|
via: 'fe80::ce2d:e0ff:fe5a:d84e'
|
|
metric: 100
|
|
match:
|
|
macaddress: fa:16:3e:52:22:de
|
|
mtu: 1500
|
|
set-name: ens3
|