The old way of setting Fedora repos was not idempotent for
vmhost-p09-copr01.rdu-cc.fedoraproject.org (was considered both primary
and secondary). And it appears this would be the same for all Fedora
s390x/ppc64le boxes.
We run the playbook first against the `copr-be-temp.aws..`
inventory_hostname, and then once more against `copr-be.aws..`. We need
to re-sign the pub keys for the later run.
https://pagure.io/fedora-infrastructure/issue/11006
These instances served long and well as fallback resolvers for
dnssec-trigger. This is no longer needed or used, so lets remove them.
See https://pagure.io/fedora-infrastructure/issue/11415
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Since F35, the swap service started failing with:
kernel: BTRFS warning (device nvme0n1p5): swapfile must not be copy-on-write
swapon[2976986]: swapon: /swap: swapon failed: Invalid argument
swap.swap: Swap process exited, code=exited, status=255/EXCEPTION
It should be redundant and we observe strage things such as 4x
removing and adding ssh keys, having to manualy confirm "Are you sure
you want to continue connecting (yes/no/[fingerprint])?" and so
on. Let's try to disable the role.
Seems like either the RHEL 8 (batcave) or Fedora 35 system (Fedora Copr
Infra) prefers ed25519 keys over rsa, leading to weird auth problems:
TASK [allow root ssh connections] ***************************************************************************************************************************
Monday 29 November 2021 13:06:43 +0000 (0:00:00.314) 0:00:03.632 *******
Monday 29 November 2021 13:06:43 +0000 (0:00:00.314) 0:00:03.632 *******
fatal: [copr-be-dev.aws.fedoraproject.org]: UNREACHABLE! => {"changed": false, "msg": "Data could not be sent to remote host \"copr-be-dev.aws.fedoraproject.org\". Make sure this host can be reached over ssh: Certificate invalid: name is not a listed principal\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\nIT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!\r\nSomeone could be eavesdropping on you right now (man-in-the-middle attack)!\r\nIt is also possible that a host key has just been changed.\r\nThe fingerprint for the ED25519 key sent by the remote host is\nSHA256:Cgs/aoJl9OJheAtZZ2CDiYx9ZeFMwD6dUYUJpPDTl58.\r\nPlease contact your system administrator.\r\nAdd correct host key in /root/.ssh/known_hosts to get rid of this message.\r\nOffending RSA key in /root/.ssh/known_hosts:21\r\nED25519 host key for copr-be-dev.aws.fedoraproject.org has changed and you have requested strict checking.\r\nHost key verification failed.\r\n", "unreachable": true}
This lets us move forward with the tomorrow's update. The previous
hack(s) were not OK.
We observed a situation when two keys were specified in known_hosts, and
only one was removed by the playbook. At least we think this is what is
actually happening.
Note: there are still some calls here in old fas in openshift, but we
will remove those when we remove old fas (likely as soon as zodbot is
ported over to noggin).
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We have some hosts that run on archived/EOL Fedora releases, their
repository URLs need to reflect that.
Signed-off-by: Nils Philippsen <nils@redhat.com>
Found the reason that the definitions I had put were not
working. There were two different ones and i was looking at the wrong
one. Put the two tasks with the same logic so things should work no
matter which one is run.
