New Freeze break request: re-enable git:// on pkgs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 09/25/2017 10:58 PM, Till Maas wrote:
> On Mon, Sep 25, 2017 at 01:54:49PM -0700, Kevin Fenzi wrote:
> 
>> This morning pkgs02 stopped answering to git:// clone urls from koji,
>> breaking builds.
> 
> Could we make koji also use https:// nowadays? I remember that there was
> a ticket about this.

That should be all done. koji should always use https now with a valid
cert.

>> systemd was happy after that, but load was still very very high. Looking
>> I found a number of git clones from external ip's. Since there's no
>> reason for this (external people should use https:// clone urls or
>> ssh://) I blocked those except from 10.0.0.0/8.
>>
>> Since this was outage causing for builds I went ahead and did all this,
>> but would like to get retroactive +1s or any adjustments I might have
>> missed.
> 
> +1 (for no unencrypted services)

Agreed, unfortunately, things don't seem to be ready for git:// to go
away on pkgs yet. ;(

* fedpkg -a still uses it. The issue there is that it needs to not only
using https://src but it needs to pass a url to koji that works for
official builds. See:

https://bugzilla.redhat.com/show_bug.cgi?id=1188634

So, we may need to adjust kojid config on our side or something more
intrusive.

* chain builds don't work:

Could not execute chainbuild: Got an error finding master head for
<foo>: fatal: unable to connect to pkgs.fedoraproject.org:

So, I'd like to revert this until after the freeze when we can actually
have fedpkg fixed and ready for it.

Note that if we start getting hammered from any specific IP's, we could
specifically block them for now.

+1s to apply this and monitor?

diff --git a/inventory/group_vars/pkgs b/inventory/group_vars/pkgs
index c0435a0..7552654 100644
--- a/inventory/group_vars/pkgs
+++ b/inventory/group_vars/pkgs
@@ -8,7 +8,7 @@ tcp_ports: [80, 443,
     3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
     3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]

-custom_rules: [ '-A INPUT -s 10.0.0.0/8 -p tcp -m tcp --dport 9418 -j
ACCEPT']
+custom_rules: [ '-A INPUT -p tcp -m tcp --dport 9418 -j ACCEPT']

 # Definining these vars has a number of effects
 # 1) mod_wsgi is configured to use the vars for its own setup

kevin

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux