+1 On Tue, Sep 26, 2017 at 11:26 AM, Stephen John Smoogen <smooge@xxxxxxxxx> wrote: > +1. > > On 26 September 2017 at 11:22, Kevin Fenzi <kevin@xxxxxxxxx> wrote: >> On 09/25/2017 10:58 PM, Till Maas wrote: >>> On Mon, Sep 25, 2017 at 01:54:49PM -0700, Kevin Fenzi wrote: >>> >>>> This morning pkgs02 stopped answering to git:// clone urls from koji, >>>> breaking builds. >>> >>> Could we make koji also use https:// nowadays? I remember that there was >>> a ticket about this. >> >> That should be all done. koji should always use https now with a valid >> cert. >> >>>> systemd was happy after that, but load was still very very high. Looking >>>> I found a number of git clones from external ip's. Since there's no >>>> reason for this (external people should use https:// clone urls or >>>> ssh://) I blocked those except from 10.0.0.0/8. >>>> >>>> Since this was outage causing for builds I went ahead and did all this, >>>> but would like to get retroactive +1s or any adjustments I might have >>>> missed. >>> >>> +1 (for no unencrypted services) >> >> Agreed, unfortunately, things don't seem to be ready for git:// to go >> away on pkgs yet. ;( >> >> * fedpkg -a still uses it. The issue there is that it needs to not only >> using https://src but it needs to pass a url to koji that works for >> official builds. See: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1188634 >> >> So, we may need to adjust kojid config on our side or something more >> intrusive. >> >> * chain builds don't work: >> >> Could not execute chainbuild: Got an error finding master head for >> <foo>: fatal: unable to connect to pkgs.fedoraproject.org: >> >> So, I'd like to revert this until after the freeze when we can actually >> have fedpkg fixed and ready for it. >> >> Note that if we start getting hammered from any specific IP's, we could >> specifically block them for now. >> >> +1s to apply this and monitor? >> >> diff --git a/inventory/group_vars/pkgs b/inventory/group_vars/pkgs >> index c0435a0..7552654 100644 >> --- a/inventory/group_vars/pkgs >> +++ b/inventory/group_vars/pkgs >> @@ -8,7 +8,7 @@ tcp_ports: [80, 443, >> 3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007, >> 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015] >> >> -custom_rules: [ '-A INPUT -s 10.0.0.0/8 -p tcp -m tcp --dport 9418 -j >> ACCEPT'] >> +custom_rules: [ '-A INPUT -p tcp -m tcp --dport 9418 -j ACCEPT'] >> >> # Definining these vars has a number of effects >> # 1) mod_wsgi is configured to use the vars for its own setup >> >> kevin >> >> >> _______________________________________________ >> infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx >> To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx >> > > > > -- > Stephen J Smoogen. > _______________________________________________ > infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
