Before the custom rules was actually intended to _allow_ more things
on a particular host. Putting those blocks in there was useless because
custom rules were applied _after_ all the allowed ports, so it wasn't
really blocking anything.
This moves them to a block_rules applied before the ports are allowed
Also move pagure's to that new rule list.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
In the beginning, this just handled Azure images. Now it does Azure,
AWS, GCP, and containers. Currently, it processes images serially, which
is mostly okay. However, it does mean that whatever service is handled
last has to wait for all the others to succeed before it starts, and it
also means if any of the handlers for their respective platform fail, it
retries *all* the images again. For most things this is a no-op (or a
few inexpensive calls), but it does have to re-download the image from
Koji to checksum it.
This adds an AMQP message queue for each content type we handle, and
produces a fedora-messaging config for each content type. The deployment
is now made up of 4 containers: azure-image-uploader,
aws-image-uploader, container-image-uploader, and
google-cloud-image-uploader. They only differ in the secrets injected
into them and the fedora-messaging config file they use. The end result
is that images should be available faster and its more resilient to
remote services being down.
Finally, it's worth noting that this bumps the warning threshold for
queue sizes. It can take some services (Azure and AWS) upwards of 30
minutes to replicate the images around the world, and since we subscribe
to _any_ compose status changes, it's not unreasonable for 5-10 messages
to stack up when we hit a compose change that is "FINISHED" with images.
Signed-off-by: Jeremy Cline <jeremycline@linux.microsoft.com>
Right now we have to add external to everything in iad2, but most of it
isn't external at all. This way we can just assume it's not external if
it's not defined and just define it on the ones where it's true.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Enables the `image-builder` plugin from `koji-image-builder` in the
production environment for both the koji hub, and the koji builder
(kojid).
This is based on the earlier enablement in staging where I've
succesfully tested some builds and it didn't seem to bring down all of
the staging instance.
Signed-off-by: Simon de Vlieger <supakeen@redhat.com>
Configure virtlogd to rotate logs older than 30 days. The default config
does not delete anything since we log to a lot of small files which are
ignored by the max size to rotate in default virtlogd config.
I think this is not needed because we actually test for iad2 in
inventory_hostname and in fact it overrides the groups that set it to
true, making them all come up false. ;(
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
For now, networking is going to just bridge dhcp from the new rdu3 mgmt
network over to our iad2 dhcp server. We will change this later after we
have bootstrapped up rdu3 some more.
This adds all our new x86 machines and 2 centos machines.
We still need to sort out the aarch64 machines (which need new cards)
and the power10 machines (still being racked).
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Extended the liveness/readiness probe timeouts to better handle
unexpected database slowdowns. This aims to reduce the frequency of
Pod crash loops by giving the system more time to recover before
Kubernetes restarts it.
Enables the `image-builder` plugin from `koji-image-builder` in the
staging environment for both the koji hub, and the koji builder (kojid).
Signed-off-by: Simon de Vlieger <supakeen@redhat.com>
We finally merged https://pagure.io/fedora-iot/pungi-iot/pull-request/102
which changes the properties of the container images built in the
IoT compose. This should adjust to that and publish both the base
and IoT images, if we got it all right.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
Two changes were made here:
* Explicitly add my Red Hat email address to all email addresses sent to
the `foa@` email alias. My FAS email is not my Red Hat email, but
there are some communications sent to this specific alias that I need
to always go to my Red Hat email address. They are topics specifically
about the work that I do at Red Hat.
* Create a new `jwheel@` personal email alias. This is the username I
intend to claim after my name change, and it also matches my Red Hat
email address (jwheel [at] redhat [dot] com). Gradually, I am going to
work on moving email from `jww@` to `jwheel@`. If an option ever is
available in the future to change FAS usernames, this is the changed
name that I would choose.
Signed-off-by: Justin Wheeler <jwheel@redhat.com>
