On 09/25/2017 10:58 PM, Till Maas wrote: > On Mon, Sep 25, 2017 at 01:54:49PM -0700, Kevin Fenzi wrote: > >> This morning pkgs02 stopped answering to git:// clone urls from koji, >> breaking builds. > > Could we make koji also use https:// nowadays? I remember that there was > a ticket about this. That should be all done. koji should always use https now with a valid cert. >> systemd was happy after that, but load was still very very high. Looking >> I found a number of git clones from external ip's. Since there's no >> reason for this (external people should use https:// clone urls or >> ssh://) I blocked those except from 10.0.0.0/8. >> >> Since this was outage causing for builds I went ahead and did all this, >> but would like to get retroactive +1s or any adjustments I might have >> missed. > > +1 (for no unencrypted services) Agreed, unfortunately, things don't seem to be ready for git:// to go away on pkgs yet. ;( * fedpkg -a still uses it. The issue there is that it needs to not only using https://src but it needs to pass a url to koji that works for official builds. See: https://bugzilla.redhat.com/show_bug.cgi?id=1188634 So, we may need to adjust kojid config on our side or something more intrusive. * chain builds don't work: Could not execute chainbuild: Got an error finding master head for <foo>: fatal: unable to connect to pkgs.fedoraproject.org: So, I'd like to revert this until after the freeze when we can actually have fedpkg fixed and ready for it. Note that if we start getting hammered from any specific IP's, we could specifically block them for now. +1s to apply this and monitor? diff --git a/inventory/group_vars/pkgs b/inventory/group_vars/pkgs index c0435a0..7552654 100644 --- a/inventory/group_vars/pkgs +++ b/inventory/group_vars/pkgs @@ -8,7 +8,7 @@ tcp_ports: [80, 443, 3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015] -custom_rules: [ '-A INPUT -s 10.0.0.0/8 -p tcp -m tcp --dport 9418 -j ACCEPT'] +custom_rules: [ '-A INPUT -p tcp -m tcp --dport 9418 -j ACCEPT'] # Definining these vars has a number of effects # 1) mod_wsgi is configured to use the vars for its own setup kevin
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
