In f41+ libvirt defaults to using nftables if both it and iptables
are installed, but it doesn't seem to work with imagefactory/oz
virt instances and our iptables setup.
So, lets revert back to iptables for now.
We can switch back if we can fix the incompatiblity, switch builders
to nftables, or stop using oz/IF
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Currently, I (Stephen Smoogen) do not have the time to work on Fedora
system administration items. However, I get a lot of email and people
see my email address in various places to ping me for working on
things. I feel it would be better to remove myself from those places
and let Fedora Infrastructure add someone else to replace me when it
is possible to do so.
Signed-off-by: Stephen Smoogen <ssmoogen@redhat.com>
Add reload in so we can reload and have kojid finish any jobs and then
restart and also add a 60s restart backoff time.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Right now we run a script on all builders once a minute to update the
api/auth ip's for osbuild. This has a number of problems:
* Sometimes osbuild jobs land on s390x builders that have no internet
access and hang or fail.
* Sometimes the update script hangs or takes a long time to run because
the builder is heavily loaded with builds, resulting in locking emails
to sysadmin-main folks.
So, in this commit we:
* make a new koji channel called 'osbuild' with all the buildhw-x86's in
it. They are usually not too overloaded and there are 16 of them so it
should be available all the time.
* Leave the cron job on all builders for now in case, but make them only
update once a day since they won't be getting jobs. If this works out
we can remove it entirely there.
* Make the buildhw-x86s only update every 5min. This opens a larger
window for it being wrong, but it's still pretty small and should
reduce the number of emails for stalled processes we get.
See https://pagure.io/fedora-infrastructure/issue/10982
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This is a quick, hacked up script that just runs once per minute and
updates the ip addresses for the osbuild koji plugin. The script calls
systemd's resolvectl without cache and puts the ips in a ipset. The
koji_builder firewall has a added rule to check that ipset for outgoing
connections that are allowed.
TODO: add some kind of error checking
TODO: probibly won't work on s390x builders as they can't reach the host
even with open firewalls, but should work for others.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
kojid from time to time hits OOM-killer and is killed, making the
builder basically never checkin or run builds until a manual restart.
Setting this should restart it after such a OOM event and hopefully keep
it processing.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We no longer use the old compose mock configs as part of our processes. nuke
them all from being installed
Signed-off-by: Dennis Gilmore <ausil@fedoraproject.org>
We will want to drop this once upstream has added this.
This hopefully fixes kernel and other package builds that have been failing with anoying fork errors.
the koji-builder rpm now installs the runroot plugin into the
builder plugin directory. no longer install our copy and use
upstreams and no longer reset the plugin directory
Signed-off-by: Dennis Gilmore <ausil@fedoraproject.org>
