Looked at logs of servers being hit by the 'non-responsive' bots and
the following were hit heavily every day multiple times a day:
100006 nagios.fedoraproject.org-access.log
102150 koschei.fedoraproject.org-access.log
162296 lists.fedoraproject.org-access.log
495776 fedoraproject.org-access.log
850471 dl.fedoraproject.org-access.log
Added bloks to dl.fedoraproject to try and lower its hit rate. Others
need review from people who know their internals more.
Signed-off-by: Stephen Smoogen <ssmoogen@redhat.com>
This was fixed previously for pagure.io in the context of
paguremirroring. Turns out, it affects all kinds of git operations, so
document and move accordingly.
Fixes: releng#12181
Fixes: fedora-infrastructure#12010
Signed-off-by: Nils Philippsen <nils@redhat.com>
To create a new log file the as paguremirroring user we need to add write
permissions to /var/log/pagure/ folder as well. This is correctly set for
distgit/pagure role, but not for pagure itself.
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
- patch the httplib2 library to avoid hardcoding TLSv1
- set the missing configuration variables in `pagure.cfg` (they have no
defaults)
- set the password for the future production version of
`client_secrets.json`
Also note that in the private ansible repo, the Pagure client
configuration in Ipsilon was fixed: the `token_endpoint_auth_method`
variable was set to `"client_secret_post"`.
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
Currently, I (Stephen Smoogen) do not have the time to work on Fedora
system administration items. However, I get a lot of email and people
see my email address in various places to ping me for working on
things. I feel it would be better to remove myself from those places
and let Fedora Infrastructure add someone else to replace me when it
is possible to do so.
Signed-off-by: Stephen Smoogen <ssmoogen@redhat.com>
This commit removes the old tasks to try and create a cert/intermediate
bundle file for stunnel in favor of just doing it when we renew/get the
cert. It also fixes stunnel to use the correct bundled cert.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
I'll try this in stg first and then roll to prod if all looks ok.
I don't see any reason why it wouldn't work off hand.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
The current playbook assumes the old digicert ssl cert thats in private.
However, we got that in 2020 and it's expired. We switched pagure.io
over to letsencrypt a while back. Somehow we didn't change the playbook
however, or the change was lost somewhere. :(
So, this adds 2 calls to the letsencrypt role to get certs for the prod
and staging pagure instances. I think this should do the right thing
with placement of files, but more eyes welcome.
Without this playbooks runs have the chance of messing up pagure.io
certs, so I think we should fix this asap.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
In https://pagure.io/fedora-infra/ansible/pull-request/1013 change to enable
new ACLs for API tokens was introduced, unfortunately the `issue_close` ACL
don't exists and to close the issue in Pagure it needs
`issue_change_status` and `issue_update` ACLs. This commit is fixing the
previous mistake.
Signed-off-by: Michal Konečný <mkonecny@redhat.com>
Add issue_close and pull_request_close ACLs to cross project ACLs. These ACLs
are already used in Pagure API, you can't just create API token with these ACLs.
Signed-off-by: Michal Konečný <mkonecny@redhat.com>
ssh git@pagure.io was broken (no longer accepting ssh connection).
A quick debug show that it was caused by the helper script not working,
showing a 403 error. And the httpd logs were complaining about
authorized IPs not present in the configuration.
The root cause is in 938e63fa71 as the variables were renamed
from eth0_ip and eth0_ipv6 to eth0_ipv4_ip and eth0_ipv6_ip
Then pagure config got regenerated later and this triggered the
bug preventing people from pushing.
