- patch the httplib2 library to avoid hardcoding TLSv1
- set the missing configuration variables in `pagure.cfg` (they have no
defaults)
- set the password for the future production version of
`client_secrets.json`
Also note that in the private ansible repo, the Pagure client
configuration in Ipsilon was fixed: the `token_endpoint_auth_method`
variable was set to `"client_secret_post"`.
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
There's a comment in the issue linked here that says it was fixed
five years ago, so we probably don't need this comment any more?
Signed-off-by: Adam Williamson <awilliam@redhat.com>
We don't have new F39 backgrounds yet, so this test will always
fail. Let's split the test into its own policy so we can easily
control whether we're gating on it (this will be useful for
future cycles, probably).
Signed-off-by: Adam Williamson <awilliam@redhat.com>
F39 updates can't pass testing fully till we have a new compose
and can build new non-Rawhide base images, but we need some
updates that are currently pending to go in the compose. It's
a catch-22, just disabling gating till this is sorted seems
like the least worst option.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
Since there is no central place to inspect osbuild worker logs (such
as Splunk instance), the sysadmin-osbuild group needs access to the
logging server.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
The IPA client groups configuration for osbuild workers was missed in
the original PR#1498 [1]. As a result, no member of the
`sysadmin-osbuild` FAS group can SSH to the osbuild workers.
Set the appropriate IPA client variables to grant access for this
group.
Also grant access for the `sysadmin-releng` group. There is no specific
reason, it just felt sensible since osbuild workers are running in the
Fedora infrastructure.
[1] https://pagure.io/fedora-infra/ansible/pull-request/1498
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Branching of f39 is next week, so we need to resign most of everything
with the f40 key so rawhide can be signed after branching.
we will need to make another pass after this one is done.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We are hitting a NFS caching issue with openqa (at least, possibly
others) where a fetch of repomd.xml will hit one of the kojipkgs servers
and then fetching the rest of the repodata will hit the other that still
has the previous koji buildroot repodata, resulting in 404's.
So, setting this should make nfs only cache postive lookups (ie, file
exists in dir), not negative ones (file does not exist). It will recheck
before returing a 404, which should prevent this issue.
Hopefully this theory is correct. We will see. :)
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Add the nagios_client role to the buildvm-osbuild.yml playbook to allow
monitoring of osbuild workers. E.g. when they are down or have a full
disk.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
The buildvm-osbuild.yml playbook fails when running the base role,
specifically when configuring chronyd and restarting it. The reason is
that the role is notifying a handler, which is not defined in the role,
but it is defined in the main handlers file restart_services.yml.
Import handlers from restart_services.yml in the buildvm-osbuild.yml
playbook to ensure that all common handlers are available.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
