+1. On 26 September 2017 at 11:22, Kevin Fenzi <kevin@xxxxxxxxx> wrote: > On 09/25/2017 10:58 PM, Till Maas wrote: >> On Mon, Sep 25, 2017 at 01:54:49PM -0700, Kevin Fenzi wrote: >> >>> This morning pkgs02 stopped answering to git:// clone urls from koji, >>> breaking builds. >> >> Could we make koji also use https:// nowadays? I remember that there was >> a ticket about this. > > That should be all done. koji should always use https now with a valid > cert. > >>> systemd was happy after that, but load was still very very high. Looking >>> I found a number of git clones from external ip's. Since there's no >>> reason for this (external people should use https:// clone urls or >>> ssh://) I blocked those except from 10.0.0.0/8. >>> >>> Since this was outage causing for builds I went ahead and did all this, >>> but would like to get retroactive +1s or any adjustments I might have >>> missed. >> >> +1 (for no unencrypted services) > > Agreed, unfortunately, things don't seem to be ready for git:// to go > away on pkgs yet. ;( > > * fedpkg -a still uses it. The issue there is that it needs to not only > using https://src but it needs to pass a url to koji that works for > official builds. See: > > https://bugzilla.redhat.com/show_bug.cgi?id=1188634 > > So, we may need to adjust kojid config on our side or something more > intrusive. > > * chain builds don't work: > > Could not execute chainbuild: Got an error finding master head for > <foo>: fatal: unable to connect to pkgs.fedoraproject.org: > > So, I'd like to revert this until after the freeze when we can actually > have fedpkg fixed and ready for it. > > Note that if we start getting hammered from any specific IP's, we could > specifically block them for now. > > +1s to apply this and monitor? > > diff --git a/inventory/group_vars/pkgs b/inventory/group_vars/pkgs > index c0435a0..7552654 100644 > --- a/inventory/group_vars/pkgs > +++ b/inventory/group_vars/pkgs > @@ -8,7 +8,7 @@ tcp_ports: [80, 443, > 3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007, > 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015] > > -custom_rules: [ '-A INPUT -s 10.0.0.0/8 -p tcp -m tcp --dport 9418 -j > ACCEPT'] > +custom_rules: [ '-A INPUT -p tcp -m tcp --dport 9418 -j ACCEPT'] > > # Definining these vars has a number of effects > # 1) mod_wsgi is configured to use the vars for its own setup > > kevin > > > _______________________________________________ > infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx > -- Stephen J Smoogen. _______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
