Once a resource quota is set for a namespace, kube will refuse to
schedule any pod without limits set, including build pod.
This can be difficult to figure out unless you know where to look, and
can be challenging for new openshift/kubernetes users.
Setting a default limit would, at least, avoid the non-schedulable
issue.
ns01 and ns02 are used by internal iad2 ssytems for dns resolution.
This means bastion uses them for smtp outgoing at least.
Lots of dnssec servers out there still are using SHA1 signatures, and
without this the hosts will simply not resolve at all.
So, until things are better we need to set these back to allow SHA1.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Try to limit the messages to PRs and git commits in flatpaks/
namespace, and bodhi FEDORA-FLATPAK updates.
Signed-off-by: Kalev Lember <klember@redhat.com>
So, instead we need to user the kojibuilder user on the acl. That should
match up to the mockbuild user in the chroot.
Hopefully.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We need also to allow pesign to the dir/socket so it can start and then
we need kojibuilder access to the socket too.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We have to use acls here because the mock chroot has it's own user/group
files and it dynamically adds users, but if we use acls it will look up
the user and do the right thing because the name is the same.
(Hopefully)
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This used to get set in pesignd when it started, but upstream has
dropped that because it's more of a local config issue.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
If this is there, robosignatory will see two 'from: f38's and error out.
We no longer need to resign f38, so drop this at least for now.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This is an attempt to allow us to sign f38 with the f39 key also in
addition to the f38 one. Using this we can make a ugly loop that signs
all the stuff in the f38 tag with the f39 key. (Hopefully)
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
The uptream of these two was changed to use `dumb-init` to allow for
defunt processes to get reaped in the container [1] so let's change the
commented out sleep commands to do the same.
[1] 9d5618eace
linux system roles does a fine job configuring networking on our
systems, but without this it just configures it but doesn't bring things
'live' until a 'nmcli c up eth0'. Just set this so it should allow it to
restart things and reflect the network as we want it right after the
playbook runs on it.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
