This is a quick, hacked up script that just runs once per minute and
updates the ip addresses for the osbuild koji plugin. The script calls
systemd's resolvectl without cache and puts the ips in a ipset. The
koji_builder firewall has a added rule to check that ipset for outgoing
connections that are allowed.
TODO: add some kind of error checking
TODO: probibly won't work on s390x builders as they can't reach the host
even with open firewalls, but should work for others.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Don't overflow the log with DEBUG messages on production for toddlers. This is
fine on staging, but on production this should be on demand.
Signed-off-by: Michal Konečný <mkonecny@redhat.com>
Since we split up stg and prod so they could have seperate ssl certs, we
need to also setup the reverseproxy for staging.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This is a hack to work around SPF screwing us for @fedoraproject.org
aliases. It only fixes email from @redhat.com, but due to bugzilla thats
a lot of email.
Without this:
bugzilla@redhat.com -> user@fedoraproject.org (expands) ->
user@gmail.com sent out directly to gmail and gets rejected because
we aren't in the redhat.com SPF record.
With this:
bugzilla@redhat.com -> user@fedoraproject.org (expands) ->
user@gmail.com but sent to mx2.redhat.com to deliver. Since
mx2.redhat.com definitely is in the redhat.com SPF record the email is
delivered fine and SPF checks pass.
This won't help for other domains with -all SPF records, but at least it
helps for all the redhat.com emails, of which there are a lot going to
fedoraproject.org aliases. :)
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This has caused them to pick up the iptables template for staging
instead of the one for their host group (koji_builder). There's no
reason to have staging as a datacenter for these, nothing checks it
besides the base iptables role hopefully.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
The cron jobs are causing the queue to just fill up and the messages can't be
currently processed so they are just being processed in loops.
Disable them for now, till at least some mailing server will be available on staging.
Signed-off-by: Michal Konečný <mkonecny@redhat.com>
There was a placeholder for pagure user in scm_request_processor configuration.
Let's change this to correct user.
Signed-off-by: Michal Konečný <mkonecny@redhat.com>
Problem: Fedora Infrastructure has used various DNS servers in
PHX2. Those no longer exist. This is causing breakage in DNS and many
other internal services.
Fix: Work with Red Hat IT
- to get new DNS servers which are infoblox devices.
- get firewall rules fixed to that
- update named.conf to have new ips
- remove old ips which no longer exist.
Signed-off-by: Stephen Smoogen <ssmoogen@redhat.com>
systemd-oomd seems to be a bit eager and kills builds before the kernel
OOM would have. Disable it for now and see if it helps memory hungry
builds any.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
distgit_packager_bugzilla_sync toddler doesn't work well on staging, because the
accounts from staging dist_git are not properly synced to staging bugzilla.
which is causing this toddler to run for too long and blocking the queue.
Signed-off-by: Michal Konečný <mkonecny@redhat.com>
They aren't encrypted, and it causes networking config problems.
We'd like to solve the underlying problem but we don't know how,
this is good enough for now. Also drop the workaround things
again because they don't seem to help.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
nirik did some stuff in the virthost and buildhw groups to try
and deal with a problem where network configuration created
during the initrd phase for the nbde_client role is activated
by NM during the regular system boot phase, which results in
the network configuration not being the one we actually want
and carefully set up. However, he didn't add this stuff to the
openqa-workers group playbook even though that uses the
nbde_client role too, and we sure are having the same problem
on the openQA workers. Adding it now to see if it helps.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
