We need this in order to be able to use them as jumphosts with ssh.
Without it, there's no easy way to get to any internal machines.
Just enable it here and leave the default off.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
There's no need to keep ocp-rdu3 around anymore, we only used
it when we were moving datacenters last year.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This reverts commit 4fdd0c9fca.
This causes robosignatory's priorities to not work.
We want to handle some requests before others, but if we prefetch 25 of
them, there could any mix of requests and we wouldn't process the most
important ones first.
We are resigning in prep for branching next week, we need to also make
sure to sign things with the f45 ima key.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This role is intended to be run on a build{vm|hw} machine that is in the
secure-boot channel in koji. It sets up the siguldry pesign-bridge that
allows builds done there to call pesign to sign artifacts by bind
mounting a socket into the mock chroot.
This then calls sigul's pesign client which sends the artifact to the
sigul vault via the sigul bridge for signing. The vault has access to
a secure token to sign the artifact with.
This should (once confirmed working) replace the roles/bkernel role that
used a secure card that was directly attached to a buildhw device.
This should allow us to add support for aarch64 as well as more easily
use different hardware or vm's as any of them could be setup to query
the sigul server.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We only have two job groups, so the front page is a bit sad and
empty. Let's show 10 builds per group, not 3.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
Seems like the proxies don't want to handle port 80 nicely, I get
errors in Zabbix for them using localhost:80/apache-status (which
works elsewhere, like sundries). However using https/443 seems to
work, so we'll do that instead.
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
I mistakenly changed the port in the fedora/non el one, that was
correct.
Need to add the port in the el one for selinux to allow httpd to work.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Fixed up a few things missed and caught in testing on dl01:
* need to setup subuid/subgid files for podman
* need to allow the right port for httpd to listen in selinux
* need httpd network connect to allow it to connect to anubis
* adjust worker values, we were not using prefork for a long time
so the values were just default up them a bunch.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Looks like the scrapers are hitting the download servers now.
So, look at setting up an anubis pod there like we did for pagure.
anubis package isn't available for epel9, so we just use the container.
Will test this with dl01 and tweak until it's working.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
