From 4d19f075b755a905c8699c0322b1d5172407b909 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Tue, 12 May 2020 23:05:44 +0200 Subject: [PATCH 01/38] Document what are the two names in the tmux command to share a session Signed-off-by: Pierre-Yves Chibon --- share_tmux_session.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/share_tmux_session.md b/share_tmux_session.md index 785052b..addf2e0 100644 --- a/share_tmux_session.md +++ b/share_tmux_session.md @@ -19,13 +19,14 @@ So we have created the folder: You can then create a tmux session using: ``` - tmux -S /var/tmux/ new -s + tmux -S /var/tmux/ new -s ``` +(The socket and session names can be different, but they don't have to) And the other person(s) can join it using: ``` - tmux -S /var/tmux/ att -t + tmux -S /var/tmux/ att -t ``` Once the person who created the shared session stops it, the people who have From 2871a87f7ab523586e6c36207e4a22d9e81f320b Mon Sep 17 00:00:00 2001 From: Clement Verna Date: Thu, 14 May 2020 06:21:58 +0200 Subject: [PATCH 02/38] How to unblock rawhide updates in bodhi Signed-off-by: Clement Verna --- unblock_bodhi_rawhide_updates.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 unblock_bodhi_rawhide_updates.md diff --git a/unblock_bodhi_rawhide_updates.md b/unblock_bodhi_rawhide_updates.md new file mode 100644 index 0000000..c130c99 --- /dev/null +++ b/unblock_bodhi_rawhide_updates.md @@ -0,0 +1,16 @@ +# How to unblock Bodhi rawhide updates + +In the case where the rawhide updates in Bodhi are stuck in testing, it often means that one of the following +process is not working properly. + +Either the `bodhi-celery-beat` pod in openshift (used to schedule tasks at regular interval) is not triggering the +`approve_testing_task` or the `bodhi-celery` pod is failing to process that task. + +To unblock these update once can restart these pods. To do so ssh to the os-master01 hosts and run the following commands + +``` +$ oc -n bodhi rollout latest dc/bodhi-celery-beat +$ oc -n bodhi rollout latest dc/bodhi-celery +``` + +Note using the `rollout` command allow us not to have any downtime. From 96dccc0dd67b93ed9756ed000ea402f62d0e3dcf Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Sun, 14 Jun 2020 21:19:28 +0200 Subject: [PATCH 03/38] Document how to change the watch status of someone in dist-git Signed-off-by: Pierre-Yves Chibon --- update_watch_dist_git.md | 47 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 update_watch_dist_git.md diff --git a/update_watch_dist_git.md b/update_watch_dist_git.md new file mode 100644 index 0000000..b8ae5d8 --- /dev/null +++ b/update_watch_dist_git.md @@ -0,0 +1,47 @@ +# How to udpate the watch status of someone in dist-git? + +Let's start with: how to see someone's watch status? + +There are two ways you can check this: + +* Check the API + + Visit https://src.fedoraproject.org/api/0///watchers + ie: https://src.fedoraproject.org/api/0/rpms/borgbackup/watchers + + it will give you information about all the watchers and what they watch. + +* Using pagure-admin + + On the pagure host, run: + ``pagure-admin get-watch / ``, for example: + ``pagure-admin get-watch rpms/borgbackup bpereto`` and it will return you the + current watch status of that user on that project (or None if it is the + default status). + + +Now how do you update this? + +* Using pagure-admin + + On the pagure host, run: + ``pagure-admin update-watch / `` + + You will be prompted with options about which status to set, use ``-1`` to + revert to the default status. + + Example: + +:: + + # pagure-admin update-watch rpms/borgbackup bpereto + Using configuration file `/etc/pagure/pagure.cfg` + The watch status can be one of the following: + -1: reset the watch status to default + 0: unwatch, don't notify the user of anything + 1: watch issues and PRs + 2: watch commits + 3: watch issues, PRs and commits + Status:-1 + Updating watch status of bpereto to -1 (reset the watch status to default) on rpms/borgbackup + From 7daa3389656897294d6efe65ac2b4c7b997256c1 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Sun, 14 Jun 2020 21:20:33 +0200 Subject: [PATCH 04/38] Tweak the markdown/style on update_watch_dist_git Signed-off-by: Pierre-Yves Chibon --- update_watch_dist_git.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/update_watch_dist_git.md b/update_watch_dist_git.md index b8ae5d8..6697066 100644 --- a/update_watch_dist_git.md +++ b/update_watch_dist_git.md @@ -32,8 +32,6 @@ Now how do you update this? Example: -:: - # pagure-admin update-watch rpms/borgbackup bpereto Using configuration file `/etc/pagure/pagure.cfg` The watch status can be one of the following: From 581f19d9c7b9cd4bd659cfb3fcb1ed9f17887e2d Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Thu, 25 Jun 2020 17:20:24 +0200 Subject: [PATCH 05/38] Add an howto clean the side-tags created by monitor-gating Signed-off-by: Pierre-Yves Chibon --- clean_monitoring_sidetags.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 clean_monitoring_sidetags.md diff --git a/clean_monitoring_sidetags.md b/clean_monitoring_sidetags.md new file mode 100644 index 0000000..e8f9d91 --- /dev/null +++ b/clean_monitoring_sidetags.md @@ -0,0 +1,24 @@ +# How to clean up the side-tags created by the monitor-gating project? + +Monitor-gating runs in openshift and monitors the packager workflow end to end. +Doing this for single build and multi-builds updates by gettings few tests +packages go through that workflow. + +If something happens and side-tags accumulates in koji, they can be cleaned +using the following steps: + +* Go to openshift + https://os.fedoraproject.org/console/project/monitor-gating/overview + (this links points directly to the monitor-gating project) + +* Access the running pod + +* Click on the "Terminal" tab to have a shell in that pod + +* Run the following command: + + python3 /opt/code/clean_up_side_tags.py /opt/config/runner.cfg + +It will go through all the side-tags created by this user/keytab and delete +them using fedpkg remove-side-tag. It will do this for all but one (which may be +in use by the script when the command is ran). From 0e1529b040dffb033f2c250cdb03daedeff85740 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Wed, 8 Jul 2020 16:41:27 +0200 Subject: [PATCH 06/38] Document how to remove monitoring of a rabbitmq queue Signed-off-by: Pierre-Yves Chibon --- remove_monitoring_rabbitmq_queue.md | 33 +++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 remove_monitoring_rabbitmq_queue.md diff --git a/remove_monitoring_rabbitmq_queue.md b/remove_monitoring_rabbitmq_queue.md new file mode 100644 index 0000000..694c932 --- /dev/null +++ b/remove_monitoring_rabbitmq_queue.md @@ -0,0 +1,33 @@ +# How to remove the monitoring of a rabbitmq queue + +The monitoring of queue sizes of rabbitmq queue is done by nagios using two +small configuration file. + +To remove that monitoring, you simply need to remove these two files. + +On the rabbitmq server (rabbitmq01): +------------------------------------ + +* Remove the local nagios configuration file + + rm /etc/nrpe.d/check_rabbitmq_queue_.cfg + +* Then restart the local nagios plugin + + systemctl restart nrpe + +On the nagios server (noc01): +----------------------------- + +* Remove the nagios configuration file + + rm /etc/nagios/services/rabbitmq-queue-.cfg + +* Ensure the configuration is still valid: + + nagios -v /etc/nagios/nagios.cfg + + +* If and only **if** the check above passed, restart nagios on the nagios server + + systemctl restart nagios From a4a420d5d0d436fe459e40de67c102830a1cd09f Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Fri, 24 Jul 2020 10:00:02 +0200 Subject: [PATCH 07/38] Document how to get the logs of a pod in openshift Signed-off-by: Pierre-Yves Chibon --- get_logs_pod_openshift.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 get_logs_pod_openshift.md diff --git a/get_logs_pod_openshift.md b/get_logs_pod_openshift.md new file mode 100644 index 0000000..06e8035 --- /dev/null +++ b/get_logs_pod_openshift.md @@ -0,0 +1,12 @@ +# How to get the full logs of a pod in openshift? + +You'll need the pod's name, the project's name and access to the openshift +master. + +Then you can run the command: + + oc logs -n + +for example: + + oc logs toddlers-47-2tjj2 -n toddlers From b605aad54234af799fb7373045d43efbda09acb9 Mon Sep 17 00:00:00 2001 From: Mark O'Brien Date: Wed, 29 Jul 2020 15:50:16 +0100 Subject: [PATCH 08/38] AWS add ssh key to root user and remove fedora user --- remove_fedora_user_at_launch_aws.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 remove_fedora_user_at_launch_aws.md diff --git a/remove_fedora_user_at_launch_aws.md b/remove_fedora_user_at_launch_aws.md new file mode 100644 index 0000000..568bea7 --- /dev/null +++ b/remove_fedora_user_at_launch_aws.md @@ -0,0 +1,18 @@ +# How to add allow root ssh login and remove fedora user + +This will allow you to run ansible playbooks as the root user. +It also removes the fedora user so that fas_client can install sucessfully in `/home/fedora` + +Simply add the below text in to the `User Data` field when launching an EC2 instance. +This appears as a text box at the bottom of the `Configure Instance` step when launching an instance.(Step 3) + + +``` +#!/bin/bash +cat home/fedora/.ssh/authorized_keys > /root/.ssh/authorized_keys +userdel -r fedora +``` + +The script copies the public key from the fedora user and replaces the root users key with it. +This is the public key which is associated with the keypair selected when launching the instance. +It then deletes the Fedora user leaving root as the only ssh user on the instance. From e2e7f44095d9f0d16e809ce796a0046860602322 Mon Sep 17 00:00:00 2001 From: Mark O'Brien Date: Wed, 29 Jul 2020 17:11:46 +0100 Subject: [PATCH 09/38] add / to explicitly state dir --- remove_fedora_user_at_launch_aws.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/remove_fedora_user_at_launch_aws.md b/remove_fedora_user_at_launch_aws.md index 568bea7..65fde6d 100644 --- a/remove_fedora_user_at_launch_aws.md +++ b/remove_fedora_user_at_launch_aws.md @@ -9,7 +9,7 @@ This appears as a text box at the bottom of the `Configure Instance` step when l ``` #!/bin/bash -cat home/fedora/.ssh/authorized_keys > /root/.ssh/authorized_keys +cat /home/fedora/.ssh/authorized_keys > /root/.ssh/authorized_keys userdel -r fedora ``` From e8eca8f8cb078b8d426ddd45f64bfc4e77250b2c Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Fri, 31 Jul 2020 13:44:25 +0200 Subject: [PATCH 10/38] Document generating VPN keys --- generate_openvpn_keys.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 generate_openvpn_keys.md diff --git a/generate_openvpn_keys.md b/generate_openvpn_keys.md new file mode 100644 index 0000000..cd95e98 --- /dev/null +++ b/generate_openvpn_keys.md @@ -0,0 +1,25 @@ +# How to generate private key and certificate for OpenVPN client + +Doing this requires membership in sysadmin-main FAS group. + +All the following commands should be ran on one of batcave hosts. + +Clone `ansible-private` repo: + + git clone /srv/git/ansible-private + +Change into `files/vpn` subdirectory in cloned repo: + + cd ansible-private/files/vpn + +Run `addhost.sh` script to generate keys and cert, eg.: + + ./addhost.sh proxy33.fedoraproject.org + +Add generated files to git index, commit, push: + + git status + git add pki/certs_by_serial/3ADB026719C7AA872EED47711B46B79A.pem pki/issued/proxy33.fedoraproject.org.crt pki/private/proxy33.fedoraproject.org.key pki/reqs/proxy33.fedoraproject.org.req + git commit -a -m "Add VPN key/cert for proxy33.fedoraproject.org" + git show + git push From 08e68f35b17ee53fe07f3c08cfce1a1a2b4694f1 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Tue, 4 Aug 2020 16:12:31 +0200 Subject: [PATCH 11/38] Simplify how to add vpn key/cert: commit all the files to git Signed-off-by: Pierre-Yves Chibon --- generate_openvpn_keys.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/generate_openvpn_keys.md b/generate_openvpn_keys.md index cd95e98..563d985 100644 --- a/generate_openvpn_keys.md +++ b/generate_openvpn_keys.md @@ -19,7 +19,7 @@ Run `addhost.sh` script to generate keys and cert, eg.: Add generated files to git index, commit, push: git status - git add pki/certs_by_serial/3ADB026719C7AA872EED47711B46B79A.pem pki/issued/proxy33.fedoraproject.org.crt pki/private/proxy33.fedoraproject.org.key pki/reqs/proxy33.fedoraproject.org.req + git add . git commit -a -m "Add VPN key/cert for proxy33.fedoraproject.org" git show git push From 8db145eba76627b7c1e6987989ca16dfbf0eced5 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Tue, 4 Aug 2020 17:21:23 +0200 Subject: [PATCH 12/38] Document how to generate 2FA keys/certs Signed-off-by: Pierre-Yves Chibon --- generate_2fa_keys.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 generate_2fa_keys.md diff --git a/generate_2fa_keys.md b/generate_2fa_keys.md new file mode 100644 index 0000000..b1dd672 --- /dev/null +++ b/generate_2fa_keys.md @@ -0,0 +1,25 @@ +# How to generate 2 Factor Authentication key and certificate + +Doing this requires membership in sysadmin-main FAS group. + +All the following commands should be ran on one of batcave hosts. + +Clone `ansible-private` repo: + + git clone /srv/git/ansible-private + +Change into `files/vpn` subdirectory in cloned repo: + + cd ansible-private/files/2fa-certs + +The process is described in the README but is basically: + + . ./vars; ./build-and-sign-key + +Add generated files to git index, commit, push: + + git status + git add . + git commit -a -m "Add 2 FA key/cert for " + git show + git push From 54b65662d03fa69163963656fa165ddec9cc1213 Mon Sep 17 00:00:00 2001 From: Clement Verna Date: Wed, 26 Aug 2020 13:31:41 +0200 Subject: [PATCH 13/38] Refresh the OSBS ODCS OIDC token. Signed-off-by: Clement Verna --- refresh_osbs_odcs_oicd_token.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 refresh_osbs_odcs_oicd_token.md diff --git a/refresh_osbs_odcs_oicd_token.md b/refresh_osbs_odcs_oicd_token.md new file mode 100644 index 0000000..1241017 --- /dev/null +++ b/refresh_osbs_odcs_oicd_token.md @@ -0,0 +1,24 @@ +# How to refresh the odcs oidc token used by OSBS + +OSBS needs to trigger composes to ODCS for flatpak build, this is done using an OIDC token to authenticate the requests. +This token expires every 365 days so it needs to be regenerated every year. + +## Generate a new token +In the ansible repo run the following command: + + scripts/generate-oidc-token osbs -e 365 -s https://id.fedoraproject.org/scope/groups -s https://pagure.io/odcs/new-compose -s https://pagure.io/odcs/renew-compose -s https://pagure.io/odcs/delete-compose + + +Follow the instructions given by the script and run the SQL command on the ipsilon database server: + + ssh db-fas01.iad2.fedoraproject.org + sudo -u postgres -i ipsilon + ipsilon=# BEGIN; + .... + ipsilon=# COMMIT; + +Save the value of the token generated by the script in the ansible-private repo under `ansible-private/files/osbs/production/odcs-oidc-token` (same needs to be done for the staging cluster) + +## Deploy the change + +Run the following playbook to deploy the new token `ansible-playbook /srv/web/infra/ansible/playbooks/groups/osbs/configure-osbs.yml` From 8a3bf7874b4fde4fa2a5ec460bc448577c90e19e Mon Sep 17 00:00:00 2001 From: Mark O'Brien Date: Mon, 24 Aug 2020 16:14:09 +0100 Subject: [PATCH 14/38] add_external_hardware_to_vpn howto --- add_external_hardware_to_vpn.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 add_external_hardware_to_vpn.md diff --git a/add_external_hardware_to_vpn.md b/add_external_hardware_to_vpn.md new file mode 100644 index 0000000..6659d73 --- /dev/null +++ b/add_external_hardware_to_vpn.md @@ -0,0 +1,30 @@ +# Add external servers to vpn + +- In the Fedora Infra Ansible repo edit the file roles/batcave/files/allows. +Under the correct section add **require ip** ****** + +- When this change is pushed run the batcave ansible playbook on the batcave. + +- Create openvpn and 2fa certificates for the new server. +This requires sysadmin main access + +> https://pagure.io/fedora-infra/howtos/blob/master/f/generate_2fa_keys.md +> https://pagure.io/fedora-infra/howtos/blob/master/f/generate_openvpn_keys.md + +- In the dns repo on batcave edit the file master/168.192.in-addr.arpa +Add the new host to one of the unused adresses. +Don't forget to update teh serial before saving. + +- Also edit the master/vpn.fedoraproject.org file to add the server with +the new 192.168.*.* address created in the previous step to the required section +Don't forget to update teh serial before saving. + +- When the above edits are done follow the instructions in the DNS sysadmin sop +about signing and pushing new dns chnages. +> https://fedora-infra-docs.readthedocs.io/en/latest/sysadmin-guide/sops/dns.html#editing-the-domain-s + +- Finally in the Fedora Infra Ansible repo add a new file +roles/openvpn/server/files/ccd/** with the new 192.168.*.* address. +View one of the existing files in the repo for a sample of formatting. +This change will be run when the server is provisioned. + From 5b962c5035e02a88837ae584a05f82680fb791d8 Mon Sep 17 00:00:00 2001 From: Mark O'Brien Date: Tue, 25 Aug 2020 11:09:45 +0100 Subject: [PATCH 15/38] fix typo and improve markdown --- add_external_hardware_to_vpn.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/add_external_hardware_to_vpn.md b/add_external_hardware_to_vpn.md index 6659d73..fd942be 100644 --- a/add_external_hardware_to_vpn.md +++ b/add_external_hardware_to_vpn.md @@ -1,9 +1,10 @@ # Add external servers to vpn -- In the Fedora Infra Ansible repo edit the file roles/batcave/files/allows. +- In the Fedora Infra Ansible repo edit the file **roles/batcave/files/allows**. Under the correct section add **require ip** ****** -- When this change is pushed run the batcave ansible playbook on the batcave. +- When this change is pushed run the batcave ansible playbook on the batcave. +You will need sysadmin-main access for this - Create openvpn and 2fa certificates for the new server. This requires sysadmin main access @@ -13,18 +14,19 @@ This requires sysadmin main access - In the dns repo on batcave edit the file master/168.192.in-addr.arpa Add the new host to one of the unused adresses. -Don't forget to update teh serial before saving. +Ensure the hostname ends in .vpn.fedoraproject.org. +Don't forget to update the serial before saving. - Also edit the master/vpn.fedoraproject.org file to add the server with the new 192.168.*.* address created in the previous step to the required section -Don't forget to update teh serial before saving. +Don't forget to update the serial before saving. - When the above edits are done follow the instructions in the DNS sysadmin sop about signing and pushing new dns chnages. > https://fedora-infra-docs.readthedocs.io/en/latest/sysadmin-guide/sops/dns.html#editing-the-domain-s - Finally in the Fedora Infra Ansible repo add a new file -roles/openvpn/server/files/ccd/** with the new 192.168.*.* address. +**roles/openvpn/server/files/ccd/**** with the new 192.168.*.* address. View one of the existing files in the repo for a sample of formatting. This change will be run when the server is provisioned. From d4d518d9e4d646e392e69f0706f85825a2da634c Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Wed, 2 Sep 2020 14:14:35 +0200 Subject: [PATCH 16/38] Document how to remove meeting minutes from meetbot/mote Signed-off-by: Pierre-Yves Chibon --- remote_meeting_minutes_meetbot.md | 56 +++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 remote_meeting_minutes_meetbot.md diff --git a/remote_meeting_minutes_meetbot.md b/remote_meeting_minutes_meetbot.md new file mode 100644 index 0000000..8276aa1 --- /dev/null +++ b/remote_meeting_minutes_meetbot.md @@ -0,0 +1,56 @@ +# How to remove meeting minutes from meetbot? + +Every now and then, we're asked to remove meeting minutes that meetbot recorded. + +Meetbot records meeting on disk on value01. +The minutes can be found in: + +:: + + /srv/web/meetbot + +Most often people asking to have some minutes removed, will give you an URL to +that meeting. +You can use it to find the corresponding file, based on this (see above) root +directory. + +For example the url: + +:: + + https://meetbot.fedoraproject.org/teams/workstation/workstation.2020-08-19-18.13.log.html + +points to the file: + +:: + /srv/web/meetbot/teams/workstation/workstation.2020-08-19-18.13.log.html + + +If you check this file, you will see that it is in fact a symlink to: + +:: + + /srv/web/meetbot/fedora-meeting-2/2020-08-19/workstation.2020-08-19-18.13.log.html + +(this will change for each meeting room and date of course). + + +So to remove this meeting we need to: + +* Create a backup in case we've messed things up:: + + mkdir meeting_workstation_20200819 + +* Move all the minutes from this meeting to this directory:: + + mv /srv/web/meetbot/fedora-meeting-2/2020-08-19/workstation.2020-08-19-18.13.* meeting_workstation_20200819 + +* Remove the symlink:: + + rm /srv/web/meetbot/teams/workstation/workstation.2020-08-19-18.13.* + + +What about the UI? + +Well, Mote seats on the top of the files meetbot generates, so cleaning up the +files on disk will eventually end up cleaning things in the UI. From 17ed06fde9a6d9c21a424b61cc834efe74f7ccb4 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Wed, 2 Sep 2020 17:43:09 +0200 Subject: [PATCH 17/38] Document how to add groups in dist-git Signed-off-by: Pierre-Yves Chibon --- creating_groups_distgit.md | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 creating_groups_distgit.md diff --git a/creating_groups_distgit.md b/creating_groups_distgit.md new file mode 100644 index 0000000..8e507be --- /dev/null +++ b/creating_groups_distgit.md @@ -0,0 +1,32 @@ +# How to create a group in dist-git? + +/!\ You may want to read first groups_in_fedora.md for information on the +different types of groups in Fedora. + +Dist-git does not allow anyone to create groups, only admins can do it via the +``pagure-admin`` CLI tool. + +To create a group, you can simply run the command: + +:: + + pagure-admin new-group \ + --description="short description" \ + --display="Name used in the UI" + +The group members are then sync upon their login in dist-git (ie: people will +have to log out and back in for their group membership to be refreshed). + +Groups are linked to the user who created it and it used to not be possible to +give the group to another user(\*), so lots of the early groups were created to +the ``releng`` user, thus allowing to easily remove the user who asked for the +group if they left the project. + +It is nowadays possible to give groups from an user to another. This can be done +by the person who is the current main admin of the group or a pagure admin. + +The URL to give a group is: + +:: + + https://src.fedoraproject.org/group//edit From 1af894beeabb4a15b45e195bb7c20b542ba2e089 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Wed, 2 Sep 2020 17:46:12 +0200 Subject: [PATCH 18/38] Document how to give group from someone to someone else Signed-off-by: Pierre-Yves Chibon --- creating_groups_distgit.md | 15 ++------------- give_groups_dist_git.md | 16 ++++++++++++++++ 2 files changed, 18 insertions(+), 13 deletions(-) create mode 100644 give_groups_dist_git.md diff --git a/creating_groups_distgit.md b/creating_groups_distgit.md index 8e507be..826504b 100644 --- a/creating_groups_distgit.md +++ b/creating_groups_distgit.md @@ -17,16 +17,5 @@ To create a group, you can simply run the command: The group members are then sync upon their login in dist-git (ie: people will have to log out and back in for their group membership to be refreshed). -Groups are linked to the user who created it and it used to not be possible to -give the group to another user(\*), so lots of the early groups were created to -the ``releng`` user, thus allowing to easily remove the user who asked for the -group if they left the project. - -It is nowadays possible to give groups from an user to another. This can be done -by the person who is the current main admin of the group or a pagure admin. - -The URL to give a group is: - -:: - - https://src.fedoraproject.org/group//edit +How to give groups from someone to someone else can be found in: +``give_groups_dist_git.md`` diff --git a/give_groups_dist_git.md b/give_groups_dist_git.md new file mode 100644 index 0000000..03af364 --- /dev/null +++ b/give_groups_dist_git.md @@ -0,0 +1,16 @@ +# How to give a group from someone to someone else in dist-git? + +Groups are linked to the user who created it and it used to not be possible to +give the group to another user(\*), so lots of the early groups were created to +the ``releng`` user, thus allowing to easily remove the user who asked for the +group if they left the project. + +It is nowadays possible to give groups from an user to another. This can be done +by the person who is the current main admin of the group or a pagure admin. + +The URL to give a group is: + +:: + + https://src.fedoraproject.org/group//edit + From 4ae367da59a8914ea9ec7640c1e482f09051038e Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Fri, 4 Sep 2020 16:11:33 +0200 Subject: [PATCH 19/38] Document how to remove branches in dist-git Signed-off-by: Pierre-Yves Chibon --- remove_branch_distgit.md | 81 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 remove_branch_distgit.md diff --git a/remove_branch_distgit.md b/remove_branch_distgit.md new file mode 100644 index 0000000..eeed2e6 --- /dev/null +++ b/remove_branch_distgit.md @@ -0,0 +1,81 @@ +# How to remove a git branch in a dist-git repository? + +Historically we did not allow to remove git branches in dist-git repository, but +FESCo recently approved their removal **if and only if** all the commits in the +branch to be deleted can be reached from another branch. +This is a requirement to ensure that if any of the commits were used in a build, +we still have the commit accessible and thus we are able to reproduce the build +if needed. + +There is a script in the releng repository to use to check if a branch can +safely be deleted. + +So here are the steps to follow to remove the branch from the package +. + +- Clone the releng repo if you do not already have it: + +:: + + git clone https://pagure.io/releng.git + +- If you already have it, pull the latest changes: + +:: + + pushd releng && git pull --rebase && popd + +- Clone the package locally: + +:: + + fedpkg clone + +- Checkout the branch: + +:: + + cd clone && git checkout + +- Run the script: + +:: + python ../releng/scripts/distgit-branch-unused.py + +(If needed, see the ``--help`` of the script for more information) + + +If the script returns that the branch is safe to delete: + +- Go to pkgs01 as root + +:: + + ssh pkgs01.iad2.fedoraproject.org + +- Go to the git repository: + +:: + + cd /srv/git/repositories//.git + +- Move the head of the branch (this allows to recover it later if needed): + +:: + + mv refs/heads/ heads_ + +- On your local clone of , check that the branch was deleted upstream: + +:: + + git fetch -p + +This should show something like: + +:: + $ git fetch -p + From ssh://pkgs.fedoraproject.org// + - [deleted] (none) -> origin/ + + From 8d4a7f53969e245e564b1cad73710436af5b492a Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Fri, 4 Sep 2020 16:13:04 +0200 Subject: [PATCH 20/38] fixup markdown Signed-off-by: Pierre-Yves Chibon --- remove_branch_distgit.md | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/remove_branch_distgit.md b/remove_branch_distgit.md index eeed2e6..386af10 100644 --- a/remove_branch_distgit.md +++ b/remove_branch_distgit.md @@ -15,31 +15,22 @@ So here are the steps to follow to remove the branch from the package - Clone the releng repo if you do not already have it: -:: - git clone https://pagure.io/releng.git - If you already have it, pull the latest changes: -:: - pushd releng && git pull --rebase && popd - Clone the package locally: -:: - fedpkg clone - Checkout the branch: -:: - cd clone && git checkout - Run the script: -:: python ../releng/scripts/distgit-branch-unused.py (If needed, see the ``--help`` of the script for more information) @@ -49,31 +40,22 @@ If the script returns that the branch is safe to delete: - Go to pkgs01 as root -:: - ssh pkgs01.iad2.fedoraproject.org - Go to the git repository: -:: - cd /srv/git/repositories//.git - Move the head of the branch (this allows to recover it later if needed): -:: - mv refs/heads/ heads_ - On your local clone of , check that the branch was deleted upstream: -:: - git fetch -p This should show something like: -:: $ git fetch -p From ssh://pkgs.fedoraproject.org// - [deleted] (none) -> origin/ From 11cc0f84462ba9551202cc912e91ec057488e02e Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Fri, 4 Sep 2020 16:22:21 +0200 Subject: [PATCH 21/38] Try more markdown syntax fixes Signed-off-by: Pierre-Yves Chibon --- remove_branch_distgit.md | 45 ++++++++++++++++++++++++++++------------ 1 file changed, 32 insertions(+), 13 deletions(-) diff --git a/remove_branch_distgit.md b/remove_branch_distgit.md index 386af10..711b65e 100644 --- a/remove_branch_distgit.md +++ b/remove_branch_distgit.md @@ -10,28 +10,39 @@ if needed. There is a script in the releng repository to use to check if a branch can safely be deleted. -So here are the steps to follow to remove the branch from the package -. +So here are the steps to follow to remove the branch `` from the package +``. - Clone the releng repo if you do not already have it: - git clone https://pagure.io/releng.git +``` +git clone https://pagure.io/releng.git +``` + - If you already have it, pull the latest changes: - pushd releng && git pull --rebase && popd +``` +pushd releng && git pull --rebase && popd +``` -- Clone the package locally: +- Clone the `` package locally: - fedpkg clone +``` +fedpkg clone +``` - Checkout the branch: - cd clone && git checkout +``` +cd clone && git checkout +``` - Run the script: - python ../releng/scripts/distgit-branch-unused.py +``` +python ../releng/scripts/distgit-branch-unused.py +``` (If needed, see the ``--help`` of the script for more information) @@ -40,19 +51,27 @@ If the script returns that the branch is safe to delete: - Go to pkgs01 as root - ssh pkgs01.iad2.fedoraproject.org +``` +ssh pkgs01.iad2.fedoraproject.org +``` - Go to the git repository: - cd /srv/git/repositories//.git +``` +cd /srv/git/repositories//.git +``` - Move the head of the branch (this allows to recover it later if needed): - mv refs/heads/ heads_ +``` +mv refs/heads/ heads_ +``` - On your local clone of , check that the branch was deleted upstream: - - git fetch -p + +``` +git fetch -p +``` This should show something like: From c9ad4a18ee6cfb62c393f92d0a82358557d893a4 Mon Sep 17 00:00:00 2001 From: Mohan Boddu Date: Tue, 8 Sep 2020 15:36:28 -0400 Subject: [PATCH 22/38] Removing refs if they are part of packed-refs file Signed-off-by: Mohan Boddu --- remove_branch_distgit.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/remove_branch_distgit.md b/remove_branch_distgit.md index 711b65e..82ee61a 100644 --- a/remove_branch_distgit.md +++ b/remove_branch_distgit.md @@ -67,6 +67,13 @@ cd /srv/git/repositories//.git mv refs/heads/ heads_ ``` +- Sometimes the ref is in the `packed-refs` file, in that case: + +``` +grep packed-refs > heads_ +Then remove the line from `packed-refs` file +``` + - On your local clone of , check that the branch was deleted upstream: ``` From e87b1546395cb81c5aef5991dc7311f5b5c07c97 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Fri, 25 Sep 2020 12:33:52 -0400 Subject: [PATCH 23/38] rewrite the sop for archiving a fedora release into markdown for this repo --- archiving_a_fedora_release.md | 152 ++++++++++++++++++++++++++++++++++ 1 file changed, 152 insertions(+) create mode 100644 archiving_a_fedora_release.md diff --git a/archiving_a_fedora_release.md b/archiving_a_fedora_release.md new file mode 100644 index 0000000..1202b16 --- /dev/null +++ b/archiving_a_fedora_release.md @@ -0,0 +1,152 @@ +# How to archive a Fedora Release +.. title: How to Archive Old Fedora Releases. +.. slug: archive-old-fedora +.. date: 2016-04-08 updated: 2020-09-25 +.. taxonomy: Releng/Infrastructure + + +## Document Info + +The Fedora download servers contain terabytes of data, and to allow +for mirrors to not have to take all of that data, infrastructure +regularly moves data of end of lifed releases (from /pub/fedora/linux) +to the archives section (/pub/archive/fedora/linux) + +## Steps Involved + +1. log into ```batcave01.iad2.fedoraproject.org``` +2. sudo log into a server which has read-write access to the download + NFS partition. Then change to the appropriate user. + ``` + $ sudo -i ssh root@bodhi-backend01.iad2.fedoraproject.org + # su - ftpsync + $ + ``` +3. Then change into the releases directory. + ``` + $ cd /pub/fedora/linux/releases + ``` + +4. Check to see that the target directory doesn't already exist. + ``` + $ ls /pub/archive/fedora/linux/releases/ + $ ls /pub/archive/fedora-secondary/releases/ + ``` + +5. If the target directory does not already exist, do a recursive link + copy of the tree you want to the target. This works because + currently archives is on the same partition. + ``` + $ cp -lvpnr 21 /pub/archive/fedora/linux/releases/21 + ``` + Common errors which might occur at this time is finding that the + NFS partition is not mounted read-write. Other errors can occur + where the NFS is read-write, but ftpsync does not have rights to + copy a file. These need to be dealt with individually. + + Another error which happens when I script things is that you find + out that everything got copied into + /pub/archive/fedora/linux/releases/21/21 even though it shouldn't. + +6. If the target directory already exists, then we need to do a + recursive rsync to update any changes in the trees since the + previous copy. + + ``` + $ rsync -avSAXHP --delete ./21/ /pub/archive/fedora/linux/releases/21/ + ``` + + Again common errors which need to be dealt with are permission + items. Usually it is contacting other people in release + engineering to see what is needed. + +7. We now do the updates and updates/testing in similar ways. + + ``` + $ cd ../updates/ + $ cp -lpnr 21 /pub/archive/fedora/linux/updates/21 + $ cd testing + $ cp -lpnr 21 /pub/archive/fedora/linux/updates/testing/21 + + $ cd ../updates/ + $ rsync -avSAXHP --delete 21/ /pub/archive/fedora/linux/updates/21/ + $ cd testing + $ rsync -avSAXHP --delete 21/ /pub/archive/fedora/linux/updates/testing/21/ + ``` + +8. At this point we now do the same with the fedora-secondary trees + with similar syntax. + ``` + $ cd /pub/fedora-secondary/releases/ + $ cp -lpnr 21 /pub/archive/fedora-secondary/releases/21 + $ cd ../updates/ + $ cp -lpnr 21 /pub/archive/fedora-secondary/updates/21 + $ cd testing + $ cp -lpnr 21 /pub/archive/fedora-secondary/updates/testing/21 + + $ cd /pub/fedora-secondary/releases/ + $ rsync -avSAXHP --delete 21/ /pub/archive/fedora-secondary/releases/21/ + $ cd ../updates/ + $ rsync -avSAXHP --delete 21/ /pub/archive/fedora-secondary/updates/21/ + $ cd testing + $ rsync -avSAXHP --delete 21/ /pub/archive/fedora-secondary/updates/testing/21/ + ``` + +8. Announce to the mirror list this has been done and that in 2 weeks + you will move the old trees to archives. + +9. In two weeks, log into mm-backend01 and run the archive script + + ``` + $ sudo -i ssh root@mm-backend01.iad2.fedoraproject.org + # sudo -u mirrormanager mm2_move-to-archive \ + --originalCategory="Fedora Linux" \ + --archiveCategory="Fedora Archive" \ + --directoryRe='/21/Everything' + # sudo -u mirrormanager mm2_move-to-archive \ + --originalCategory="Fedora Secondary Linux" \ + --archiveCategory="Fedora Archive" \ + --directoryRe='/21/Everything' + ``` + +10. If there are problems, the postgres DB may have issues and so you need to + get a DBA to update the backend to fix items. + +11. Wait an hour or so then you can remove the files from the main tree. + +``` + $ sudo -i ssh bodhi-backend01.iad2.fedoraproject.org + # su - ftpsync + $ cd /pub/fedora/linux/releases + $ cd 21 + $ ls # make sure you have stuff here + $ rm -rf * + $ ln ../20/README . + $ cd ../../updates/21 + $ ls # make sure you have stuff here + $ rm -rf * + $ ln ../20/README . + $ cd ../testing/21 + $ ls # make sure you have stuff here + $ rm -rf * + $ ln ../20/README . + + $ cd /pub/fedora-secondary/releases + $ cd 21 + $ ls # make sure you have stuff here + $ rm -rf * + $ ln ../20/README . + $ cd ../../updates/21 + $ ls # make sure you have stuff here + $ rm -rf * + $ ln ../20/README . + $ cd ../testing/21 + $ ls # make sure you have stuff here + $ rm -rf * + $ ln ../20/README . + +``` + + + + From 685156e38746197c3ec194dc224fdf6d1c9c7064 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Tue, 29 Sep 2020 16:24:05 +0200 Subject: [PATCH 24/38] Document how to fix bugzilla/aws SAML login via ipsilon Signed-off-by: Pierre-Yves Chibon --- fix_bugzilla_aws_saml_login.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 fix_bugzilla_aws_saml_login.md diff --git a/fix_bugzilla_aws_saml_login.md b/fix_bugzilla_aws_saml_login.md new file mode 100644 index 0000000..e31d5c9 --- /dev/null +++ b/fix_bugzilla_aws_saml_login.md @@ -0,0 +1,20 @@ +# How to fix SAML login in bugzilla/AWS + +Basically, we've observed that every now and then one of the ipsilon pod looses +its config (or so it seems) which leads to make that pod unable to properly +serve SAML requests. + +Here are the steps to debug and fix this situation: + +- Open all the web pod of ipsilon in different tags - Open the logs tab for + each +- Open bugzilla.redhat.com in a tab using the private browser mode +- Try logging into bugzilla using the Fedora contributor button in the drop-down +- Check the recent logs of the pods and find the one saying something like: + ``DEBUG(providers/saml2/auth.py:176 Redirect.saml2login()): saml2: 'NoneType' object has no attribute 'get_login_handler'`` + - copy the name of that pod +- Go to the openshift's main node +- Delete the pod using: ``oc -n ipsilon delete pod `` (for example: ``oc -n ipsilon delete pod ipsilon-24-8ztdd``), + Openshift will automatically spawn a new one +- Try login on bugzilla again - it should work (or maybe another pod is mis-behaving?) + From 8dc5f17b3c795bac15646b6656411ee21c6bb292 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Tue, 30 Mar 2021 10:12:13 +0200 Subject: [PATCH 25/38] Add doc on how to create a keytab Signed-off-by: Pierre-Yves Chibon --- create_keytab.md | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 create_keytab.md diff --git a/create_keytab.md b/create_keytab.md new file mode 100644 index 0000000..2b40c6c --- /dev/null +++ b/create_keytab.md @@ -0,0 +1,40 @@ +# How to create a keytab for an user? + +First obtain Kerberos ticket with kinit: + +``` +$ kinit myusername@FEDORAPROJECT.ORG +Password for myusername@FEDORAPROJECT.ORG: +``` + +Then obtain kvno value: + +``` +$ kvno myusername@FEDORAPROJECT.ORG +myusername@FEDORAPROJECT.ORG: kvno = 42 +``` + +Ticket is no longer needed and can be destroyed: + +``` +$ kdestroy -p myusername@FEDORAPROJECT.ORG +``` + +Generate keytab and write it to disk: + +``` +$ ktutil +ktutil: addent -password -p myusername@FEDORAPROJECT.ORG -k 42 -f +Password for myusername@FEDORAPROJECT.ORG: +ktutil: wkt /tmp/kt/fedora +ktutil: q +``` + +Done. You can now use the keytab to obtain the ticket without typing password: + +``` +$ kinit -kt /tmp/kt/fedora myusername@FEDORAPROJECT.ORG +``` + + +(source: https://pagure.io/fedora-infrastructure/issue/9544#comment-706949) From 04b4e97cb6961bf8f2f13efb1263f44e9f90a042 Mon Sep 17 00:00:00 2001 From: Mark O'Brien Date: Wed, 7 Apr 2021 11:40:17 +0100 Subject: [PATCH 26/38] update clean2fa for ipa --- clean_2f_tokens.md | 27 ++++++--------------------- 1 file changed, 6 insertions(+), 21 deletions(-) diff --git a/clean_2f_tokens.md b/clean_2f_tokens.md index 13c00d9..d5957d0 100644 --- a/clean_2f_tokens.md +++ b/clean_2f_tokens.md @@ -1,27 +1,12 @@ -# How to remove 2 factors authentication tokens? +# How to remove 2 factor authentication tokens in IPA -* become root on os-master01 and/or os-master01.stg +* log into `https://id.fedoraproject.org/ipa/ui/` using noggin credentials -* Run the following commands: +* Click on the `Authentication` tab -``` -oc project fas -oc get pods -``` +* Click on the `OTP Tokens` sub tab -* Look for the totpcgi-N-hash pods +* Enter the username into the search bar. This will display a list of tokens associated with the user. -* Log into that pod: - -``` -oc rsh -``` - -* Clean the tokens: - -``` -totpprov delete-user -``` - -* say yes, exit, and repeat for stg/prod as each has their own db. +* Select the desired token and click delete. A popup will appear, click delete again to confirm. From 70f393ad5883763a71ac04df381e4d315373ee11 Mon Sep 17 00:00:00 2001 From: Mark O'Brien Date: Thu, 8 Apr 2021 11:24:34 +0100 Subject: [PATCH 27/38] clean2fa: add cli instructions --- clean_2f_tokens.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clean_2f_tokens.md b/clean_2f_tokens.md index d5957d0..f26ad56 100644 --- a/clean_2f_tokens.md +++ b/clean_2f_tokens.md @@ -1,4 +1,4 @@ -# How to remove 2 factor authentication tokens in IPA +# How to remove 2 factor authentication tokens in IPA using ui * log into `https://id.fedoraproject.org/ipa/ui/` using noggin credentials @@ -10,3 +10,13 @@ * Select the desired token and click delete. A popup will appear, click delete again to confirm. +# How to remove 2 factor authentication tokens in IPA using cli + +* kinit as user with admin privileges on ipa server + +* Run `ipa otptoken-find --owner=` + +* A list of the users otp tokens will be displayed. Copy `Unique ID` vlaue of the desired token + +* Run `ipa otptoken-del `. The token is now removed + From fa23906fe6622831577f57df45561367a82e9893 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Fri, 16 Apr 2021 10:07:52 +0200 Subject: [PATCH 28/38] Explain how to create the API token for src.fp.o Signed-off-by: Pierre-Yves Chibon --- create_fedscm_admin_token.md | 63 ++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 create_fedscm_admin_token.md diff --git a/create_fedscm_admin_token.md b/create_fedscm_admin_token.md new file mode 100644 index 0000000..05ac16b --- /dev/null +++ b/create_fedscm_admin_token.md @@ -0,0 +1,63 @@ +# Creating fedscm-admin token for releng + +Members of the releng team that are processing the fedora-scm requests are using +the CLI tool: fedscm-request. +They will need a few access to be able to use this tool properly: +- they will need a token to add/adjust things in PDC +- they will need a token to create/modify things on src.fp.o +- they will need a token to act on the fedora-scm repo on pagure.io (this one + can be created by themselves once they are given the access) + +This doc covers the second point. + + +* Log into pkgs01.iad2.fedoraproject.org +* Run the following command: + +```` +pagure-admin admin-token create +```` + +For example: + +```` +pagure-admin admin-token create petersen 2020-06-30 +```` + +This will ask you which ACLs you want this token to have, select: +- create_project +- modify_project +- create_branch +- generate_acls_project + +Then confirm the creation of the token. + +Once the token is created, you can check that it was properly created by doing: + +```` +pagure-admin admin-token list --user +```` + +This will return all the active admin-token of that user. You should find the +newly created token there. + +You can also check the ACLs of that token by doing: +```` +pagure-admin admin-token info +```` + +Finally, you can edit the expiration date of the token by doing: +```` +pagure-admin admin-token update +```` + +For example: +```` +pagure-admin admin-token update foobarbaz 2000-01-01 +```` + + + +/!\ Note: there is no need to send that token to the user, simply ask them to +check their API tokens in their settings' page. It will be shown there :) + From 8a1e7951fabfc35ff88f6651511b87da7c0c8b93 Mon Sep 17 00:00:00 2001 From: Mark O Brien Date: Mon, 20 Dec 2021 15:16:38 +0000 Subject: [PATCH 29/38] update links to main branch Signed-off-by: Mark O Brien --- add_external_hardware_to_vpn.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/add_external_hardware_to_vpn.md b/add_external_hardware_to_vpn.md index fd942be..5147446 100644 --- a/add_external_hardware_to_vpn.md +++ b/add_external_hardware_to_vpn.md @@ -3,17 +3,17 @@ - In the Fedora Infra Ansible repo edit the file **roles/batcave/files/allows**. Under the correct section add **require ip** ****** -- When this change is pushed run the batcave ansible playbook on the batcave. +- When this change is pushed run the batcave ansible playbook on the batcave. You will need sysadmin-main access for this - Create openvpn and 2fa certificates for the new server. This requires sysadmin main access -> https://pagure.io/fedora-infra/howtos/blob/master/f/generate_2fa_keys.md -> https://pagure.io/fedora-infra/howtos/blob/master/f/generate_openvpn_keys.md +> * https://pagure.io/fedora-infra/howtos/blob/main/f/generate_2fa_keys.md +> * https://pagure.io/fedora-infra/howtos/blob/main/f/generate_openvpn_keys.md - In the dns repo on batcave edit the file master/168.192.in-addr.arpa -Add the new host to one of the unused adresses. +Add the new host to one of the unused adresses. Ensure the hostname ends in .vpn.fedoraproject.org. Don't forget to update the serial before saving. @@ -21,11 +21,11 @@ Don't forget to update the serial before saving. the new 192.168.*.* address created in the previous step to the required section Don't forget to update the serial before saving. -- When the above edits are done follow the instructions in the DNS sysadmin sop +- When the above edits are done follow the instructions in the DNS sysadmin sop about signing and pushing new dns chnages. -> https://fedora-infra-docs.readthedocs.io/en/latest/sysadmin-guide/sops/dns.html#editing-the-domain-s +> https://docs.fedoraproject.org/en-US/infra/sysadmin_guide/dns/ -- Finally in the Fedora Infra Ansible repo add a new file +- Finally in the Fedora Infra Ansible repo add a new file **roles/openvpn/server/files/ccd/**** with the new 192.168.*.* address. View one of the existing files in the repo for a sample of formatting. This change will be run when the server is provisioned. From 70a36d40c9a7e5af7196fdf153e82c6572b5265e Mon Sep 17 00:00:00 2001 From: Mark O Brien Date: Mon, 9 May 2022 14:11:44 +0100 Subject: [PATCH 30/38] what to do with spam pagure users Signed-off-by: Mark O Brien --- pagure_spam.md | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 pagure_spam.md diff --git a/pagure_spam.md b/pagure_spam.md new file mode 100644 index 0000000..c91ad2d --- /dev/null +++ b/pagure_spam.md @@ -0,0 +1,40 @@ +# How to deal with spam posts on pagure + +When an ticket is raised for a spam user on the Fedora infra tracker take the +following actions. + +## Clear the spam +Click on the user in pagure and check their activity for all comments they have +made. Remove all these comments unless otherwise advised. + +## Ban the user in pagure + +ssh to pagure02.fedoraproject.org. As root user run the following command: + +``` +pagure-admin block-user +``` + +For example: + +``` +pagure-admin block-user spamuser 2060-01-01 +``` + +## Disable user in IPA + +### Frontend + +* Login to the ipa server and search the users name. +* Click on the user. +* In the Actions dropdown menu click disable + + +### Command line + +* ssh to ipa01.iad2.fedoraproject.org +* run `ipa user-disable ` + + + + From 565a891e15692ca44a1d7398a38ca4cb08f33f29 Mon Sep 17 00:00:00 2001 From: Jens Petersen Date: Sun, 28 Aug 2022 05:02:54 +0000 Subject: [PATCH 31/38] create_fedscm_admin_token: tweak first para to render bullets --- create_fedscm_admin_token.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/create_fedscm_admin_token.md b/create_fedscm_admin_token.md index 05ac16b..6e31696 100644 --- a/create_fedscm_admin_token.md +++ b/create_fedscm_admin_token.md @@ -1,8 +1,9 @@ # Creating fedscm-admin token for releng Members of the releng team that are processing the fedora-scm requests are using -the CLI tool: fedscm-request. +the CLI tool: fedscm-admin. They will need a few access to be able to use this tool properly: + - they will need a token to add/adjust things in PDC - they will need a token to create/modify things on src.fp.o - they will need a token to act on the fedora-scm repo on pagure.io (this one From 0ed61feed5b3fd421be3197c7e3b7846fb49df3c Mon Sep 17 00:00:00 2001 From: Jens Petersen Date: Sun, 28 Aug 2022 05:11:22 +0000 Subject: [PATCH 32/38] create_fedscm_admin_token: mention actual fedora-scm-requests name --- create_fedscm_admin_token.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/create_fedscm_admin_token.md b/create_fedscm_admin_token.md index 6e31696..9550769 100644 --- a/create_fedscm_admin_token.md +++ b/create_fedscm_admin_token.md @@ -1,12 +1,12 @@ # Creating fedscm-admin token for releng -Members of the releng team that are processing the fedora-scm requests are using +Members of the releng team that are processing fedora-scm-requests are using the CLI tool: fedscm-admin. They will need a few access to be able to use this tool properly: - they will need a token to add/adjust things in PDC - they will need a token to create/modify things on src.fp.o -- they will need a token to act on the fedora-scm repo on pagure.io (this one +- they will need a token to act on the fedora-scm-requests repo on pagure.io (this one can be created by themselves once they are given the access) This doc covers the second point. From 4c1860223a1071e78d214b51e937f238ada4b489 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20Kone=C4=8Dn=C3=BD?= Date: Wed, 8 Mar 2023 14:09:53 +0000 Subject: [PATCH 33/38] Add link to IPA server --- pagure_spam.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pagure_spam.md b/pagure_spam.md index c91ad2d..d2624d2 100644 --- a/pagure_spam.md +++ b/pagure_spam.md @@ -25,7 +25,7 @@ pagure-admin block-user spamuser 2060-01-01 ### Frontend -* Login to the ipa server and search the users name. +* Login to the [ipa server](https://id.fedoraproject.org/ipa/ui) and search the users name. * Click on the user. * In the Actions dropdown menu click disable From db2d87e59cfb631d6a44edb5923bba5e4a463e30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20Kone=C4=8Dn=C3=BD?= Date: Fri, 14 Apr 2023 09:08:12 +0000 Subject: [PATCH 34/38] Add regenerate certificates howto --- fedora_messaging_certificates.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/fedora_messaging_certificates.md b/fedora_messaging_certificates.md index 4e09be5..febd556 100644 --- a/fedora_messaging_certificates.md +++ b/fedora_messaging_certificates.md @@ -45,6 +45,28 @@ git push Source: https://pagure.io/fedora-infrastructure/issue/8638 +# Regenerating TLS certificates + +* First remove old files + +In the staging subdir run +``` +rm -f pki/reqs/.stg.req +rm -f pki/private/.stg.key +rm -f pki/issued/.stg.crt +rm -f pki/certs_by_serial/.pem +``` + +Same for production, but without `.stg` in name and the commands need to be run from production subdir + +* Remove the cert from `index.txt` and `index.txt.old` + +The easiest way around this is to simply to a ``git grep ``. +It should tell you that the name can be found in ``index.txt`` (and potentially +``index.txt.old`` if another certificate was generated since the first attempt +and yours). + +* Follow the `How to create TLS certificates for fedora-messaging` section in this How-To ## Debugging From 026b1c9036175fa6e538c4fb97d46081a695b82e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20Kone=C4=8Dn=C3=BD?= Date: Mon, 17 Apr 2023 08:49:40 +0200 Subject: [PATCH 35/38] Revoke the old certificate instead of deleting it MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michal Konečný --- fedora_messaging_certificates.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/fedora_messaging_certificates.md b/fedora_messaging_certificates.md index febd556..7f1aa10 100644 --- a/fedora_messaging_certificates.md +++ b/fedora_messaging_certificates.md @@ -47,14 +47,11 @@ Source: https://pagure.io/fedora-infrastructure/issue/8638 # Regenerating TLS certificates -* First remove old files +* First revoke old certificate In the staging subdir run ``` -rm -f pki/reqs/.stg.req -rm -f pki/private/.stg.key -rm -f pki/issued/.stg.crt -rm -f pki/certs_by_serial/.pem +/usr/share/easy-rsa/3/easyrsa revoke ``` Same for production, but without `.stg` in name and the commands need to be run from production subdir From 63b6507148f398cf1ced054e0955bbe4bd470af7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20Kone=C4=8Dn=C3=BD?= Date: Mon, 17 Jul 2023 13:19:08 +0200 Subject: [PATCH 36/38] Add howto for dealing with discourse spam MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michal Konečný --- discourse_spam.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 discourse_spam.md diff --git a/discourse_spam.md b/discourse_spam.md new file mode 100644 index 0000000..f1e2455 --- /dev/null +++ b/discourse_spam.md @@ -0,0 +1,18 @@ +# How to deal with spam posts on discourse + +When an ticket is raised for a spam user on the Fedora infra tracker take the +following actions. + +## Disable user in IPA + +### Frontend + +* Login to the [ipa server](https://id.fedoraproject.org/ipa/ui) and search the users name. +* Click on the user. +* In the Actions dropdown menu click disable + + +### Command line + +* ssh to ipa01.iad2.fedoraproject.org +* run `ipa user-disable ` From 5b00d360737af552c23d78c69f469d04effc5ac3 Mon Sep 17 00:00:00 2001 From: Michal Konecny Date: Tue, 29 Aug 2023 12:24:10 +0200 Subject: [PATCH 37/38] Add guide for creating new group in FAS Signed-off-by: Michal Konecny --- creating_groups_distgit.md | 2 +- groups_in_fedora.md | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/creating_groups_distgit.md b/creating_groups_distgit.md index 826504b..3badcc5 100644 --- a/creating_groups_distgit.md +++ b/creating_groups_distgit.md @@ -6,7 +6,7 @@ different types of groups in Fedora. Dist-git does not allow anyone to create groups, only admins can do it via the ``pagure-admin`` CLI tool. -To create a group, you can simply run the command: +To create a group, you can simply run the command on pkgs01.iad2.fedoraproject.org: :: diff --git a/groups_in_fedora.md b/groups_in_fedora.md index c8b40f1..31a6367 100644 --- a/groups_in_fedora.md +++ b/groups_in_fedora.md @@ -88,3 +88,15 @@ group. This list can then be made private and invite-only. **When requesting a pkgdb group, please let us know if you need a new mailing list to be created or not.** + +## How to create a group? + +1. Log in to [IPA interface](https://id.fedoraproject.org/ipa/ui) +2. Click on the Groups tab +3. Click on `+Add` button +4. Fill in the Group name, description (optional) +5. Tick the FAS group checkbox +6. Click Add +7. Click on the newly created group +8. Add group sponsors (` member managers` -> Users on the right) using `+Add` button +9. Add members (if requested) using `+Add` button in ` members` -> Users From 94ded24094baca3ffc30f12a3774f4e93dba063f Mon Sep 17 00:00:00 2001 From: Michal Konecny Date: Thu, 7 Sep 2023 15:48:48 +0200 Subject: [PATCH 38/38] Add notification about howtos migration Signed-off-by: Michal Konecny --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index d867915..35959d2 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,6 @@ +**This repository is now moved to +[Fedora Infra documentation](https://docs.fedoraproject.org/infra/howtos/)** + # How to do things around the infrastructure. This repo contains the steps on How to do a tasks in the infrastructure. It is meant to be a knowledge database that can be quickly accessed and updated.