On Thu, Jan 29, 2015 at 11:46:03AM +0100, Pierre-Yves Chibon wrote: > On Wed, Jan 28, 2015 at 06:01:59PM +0100, Pierre-Yves Chibon wrote: > > On Mon, Jan 26, 2015 at 04:12:31PM +0100, Mathieu Bridon wrote: > > > On Fri, 2015-01-23 at 14:10 +0100, Pierre-Yves Chibon wrote: > > > > Since it seems to us that all is now fixed and ready, we are re-building the > > > > host from scratch and then all that is left is: testing :) > > > > > > So Pierre-Yves finished rebuilding the host and syncing some git data on > > > it from prod. > > > > > > And things just work. :) > > > > > > So far, I've tested: > > > > > > * shell access for admins (works for Pierre-Yves from sysadmin-main, > > > works for me from sysadmin-noc) > > > > > > * fedpkg clone/push, verifying that push fails for packages I don't > > > have acls on > > > > > > * git push of branches starting with "origin/", which is supposed to > > > fail (https://fedorahosted.org/rel-eng/ticket/4071) > > > > > > Still needs to be tested: > > > > > > * cgit seems to not see any package > > > > > > * fedpkg sources / new-sources fail (looking into this right now) > > > > After some more fighting: > > is working: > > - shell access for admins > > - fedpkg clone, pull, push > > - Fails on package on which user does not have the ACLs > > - Fails on branches not allowed > > - Fails on branches named origin/... > > - cgit: http://pkgs.stg.fedoraproject.org/cgit/ > > - fedpkg new-sources / sources > > > > All this with SELinux enabled. > > > > Fails: > > - fedmsg-genacls.sh > > This is now fixed. > It was basically two permission issues, one for running genacls.sh which now > needs to be run as root as it as to chown and chmod some files and the second > was adjust the permissions to allow fedmsg to sudo as root to run genacls.sh > > > - fedmsg messages sent after an upload > > Of the two, the last one at least is still SELinux related, no clue for the > > first one. > > Remains this one :) And with one last SELinux boolean tunning, this is working \ó/ pkgs01.stg has been rebuilt (again) and all seems to work fine. So if someone wants to review our change, I think we're good :) Pierre _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure