Re: New Freeze break request: re-enable git:// on pkgs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



+1.

On 26 September 2017 at 11:22, Kevin Fenzi <kevin@xxxxxxxxx> wrote:
> On 09/25/2017 10:58 PM, Till Maas wrote:
>> On Mon, Sep 25, 2017 at 01:54:49PM -0700, Kevin Fenzi wrote:
>>
>>> This morning pkgs02 stopped answering to git:// clone urls from koji,
>>> breaking builds.
>>
>> Could we make koji also use https:// nowadays? I remember that there was
>> a ticket about this.
>
> That should be all done. koji should always use https now with a valid
> cert.
>
>>> systemd was happy after that, but load was still very very high. Looking
>>> I found a number of git clones from external ip's. Since there's no
>>> reason for this (external people should use https:// clone urls or
>>> ssh://) I blocked those except from 10.0.0.0/8.
>>>
>>> Since this was outage causing for builds I went ahead and did all this,
>>> but would like to get retroactive +1s or any adjustments I might have
>>> missed.
>>
>> +1 (for no unencrypted services)
>
> Agreed, unfortunately, things don't seem to be ready for git:// to go
> away on pkgs yet. ;(
>
> * fedpkg -a still uses it. The issue there is that it needs to not only
> using https://src but it needs to pass a url to koji that works for
> official builds. See:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1188634
>
> So, we may need to adjust kojid config on our side or something more
> intrusive.
>
> * chain builds don't work:
>
> Could not execute chainbuild: Got an error finding master head for
> <foo>: fatal: unable to connect to pkgs.fedoraproject.org:
>
> So, I'd like to revert this until after the freeze when we can actually
> have fedpkg fixed and ready for it.
>
> Note that if we start getting hammered from any specific IP's, we could
> specifically block them for now.
>
> +1s to apply this and monitor?
>
> diff --git a/inventory/group_vars/pkgs b/inventory/group_vars/pkgs
> index c0435a0..7552654 100644
> --- a/inventory/group_vars/pkgs
> +++ b/inventory/group_vars/pkgs
> @@ -8,7 +8,7 @@ tcp_ports: [80, 443,
>      3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
>      3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
>
> -custom_rules: [ '-A INPUT -s 10.0.0.0/8 -p tcp -m tcp --dport 9418 -j
> ACCEPT']
> +custom_rules: [ '-A INPUT -p tcp -m tcp --dport 9418 -j ACCEPT']
>
>  # Definining these vars has a number of effects
>  # 1) mod_wsgi is configured to use the vars for its own setup
>
> kevin
>
>
> _______________________________________________
> infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
>



-- 
Stephen J Smoogen.
_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux