Seems like either the RHEL 8 (batcave) or Fedora 35 system (Fedora Copr
Infra) prefers ed25519 keys over rsa, leading to weird auth problems:
TASK [allow root ssh connections] ***************************************************************************************************************************
Monday 29 November 2021 13:06:43 +0000 (0:00:00.314) 0:00:03.632 *******
Monday 29 November 2021 13:06:43 +0000 (0:00:00.314) 0:00:03.632 *******
fatal: [copr-be-dev.aws.fedoraproject.org]: UNREACHABLE! => {"changed": false, "msg": "Data could not be sent to remote host \"copr-be-dev.aws.fedoraproject.org\". Make sure this host can be reached over ssh: Certificate invalid: name is not a listed principal\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\nIT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!\r\nSomeone could be eavesdropping on you right now (man-in-the-middle attack)!\r\nIt is also possible that a host key has just been changed.\r\nThe fingerprint for the ED25519 key sent by the remote host is\nSHA256:Cgs/aoJl9OJheAtZZ2CDiYx9ZeFMwD6dUYUJpPDTl58.\r\nPlease contact your system administrator.\r\nAdd correct host key in /root/.ssh/known_hosts to get rid of this message.\r\nOffending RSA key in /root/.ssh/known_hosts:21\r\nED25519 host key for copr-be-dev.aws.fedoraproject.org has changed and you have requested strict checking.\r\nHost key verification failed.\r\n", "unreachable": true}
This lets us move forward with the tomorrow's update. The previous
hack(s) were not OK.
We observed a situation when two keys were specified in known_hosts, and
only one was removed by the playbook. At least we think this is what is
actually happening.
We shouldn't install `nrpe` package in the `copr/base` playbook
because it creates the following user
nrpe❌992:991:NRPE user for the NRPE service:/var/run/nrpe:/sbin/nologin
That UID collides with an user for keygen
- user: name="copr-signer" group=copr-signer groups=apache uid=992
The `nrpe` installation needs to be done later, in the `nagios_client`
role that we call after `copr/keygen` role.
This also tears down our swtpm systemd service setup, as
os-autoinst should now handle swtpm device setup for us.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
sigh, needs to be here too as it's used from outside of the role
where the default is set. Not sure if there's a better fix for
this.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
This sets us up for scheduling FCOS tests from messages, not
using a cron job. Also reduces some duplication of variables
between openqa-servers-common and the dispatcher role defaults.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
previously the redirect from help.fedoraproject.org pointed to an old
location on fedoraproject.org which in turn re-directed to an interstital
that eventually redirected to getfedora.org index
This commit sets the redirect from help.fp.o to ask,fp.o
Resolves: https://pagure.io/fedora-infrastructure/issue/10364
Signed-off-by: Ryan Lerch <rlerch@redhat.com>
previously the redirect from join.fedoraproject.org pointed to the old
join page on the wiki, which in turn re-directed to the final (correct)
destination of https://docs.fedoraproject.org/en-US/project/join/
This commit sets the redirect from join.fp.o to the docs site, skipping
the wiki altogether.
Resolves: https://pagure.io/fedora-infrastructure/issue/10363
Signed-off-by: Ryan Lerch <rlerch@redhat.com>
It causes 403 Forbidden errors when trying to access any backend URL,
not only the `dir-generator.php` file. The exact line causing the
issue is
index-file.names = (
"/dir-generator.php"
)
but to be sure, I am commenting-out the whole logic.
SSL: ssl.use-sslv2 is deprecated and will soon be removed. It is
disabled by default. Many modern TLS libraries no longer support
SSLv2.
SSL: ssl.use-sslv3 is deprecated and will soon be removed. It is
disabled by default. Many modern TLS libraries no longer support
SSLv3
This appeared in the logs
PIDFile= references a path below legacy directory /var/run/,
updating /var/run/lighttpd.pid → /run/lighttpd.pid; please update
the un it file accordingly.
