Copr to use primary Fedora download location
by Miroslav Suchý
Hi,
right now Copr is using stock mock, with its default configuration.
Which means that Copr builders are downloading packages from Fedora mirrors.
I find this sub-optimal, because:
* sometimes is mirror little bit off-sync and occasionally this result in failed builds.
* while mirrors are generally good thing, primary Fedora servers are AFAIK just few racks away from Copr. In term of
measurable data it is 100 ms of ping vs. 4 ms of ping.
Therefore I plan to replace:
metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasev...
in mock config with:
baseurl=http://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever...
and similary for epel, rawhide and F21.
But before I proceed, would like to ask if this is ok? Or should I rather not use dl.f.o for some reason?
--
Miroslav Suchy, RHCE, RHCDS
Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys
9 years, 6 months
Freeze Break: add some playbooks to rbac-playbook
by Kevin Fenzi
Greetings.
vgologuz has been reworking the copr ansible playbooks. Before we had
some host playbooks that had all the logic in them. Now, we will have
some group ones that use roles properly, etc.
I'd like to add the new group playbooks to rbac-playbook so he can run
them and test with them.
copr is not frozen, but lockbox01 is, so thats why I ask.
kevin
--
+ 'groups/copr-frontend.yml': ['sysadmin-cloud'],
+ 'groups/copr-backend.yml': ['sysadmin-cloud'],
+ 'groups/copr-keygen.yml': ['sysadmin-cloud'],
9 years, 6 months
Freeze Break request: switch nightly check/diff back to run each playbook
by Kevin Fenzi
Greetings.
In puppet commit a9d2e61de5413edf297bd594051905e661760d0d I changed the
nightly ansible check/diff cron job to just use the master playbook
instead of doing each playbook on it's own.
Turns out this has a few downsides:
* If the execution fails somewhere, the run stops and it never runs on
the playbooks after the one that failed.
* Our logging/reporting looks at the playbook name that was run, so it
lumps all of them into 'master.yml' and it's harder to see what
playbooks have changed or failed items in them.
I'd like to just revert this commit.
+1s?
kevin
--
diff --git a/modules/scripts/files/ansible-playbook-check-diff.cron b/modules/scripts/files/ansible-playbook-check-diff.cron
index eeec65f..d1f9922 100755
--- a/modules/scripts/files/ansible-playbook-check-diff.cron
+++ b/modules/scripts/files/ansible-playbook-check-diff.cron
@@ -4,7 +4,7 @@ source /root/sshagent >>/dev/null
export ANSIBLE_HOST_KEY_CHECKING=False
export HOME=/root/
#export ANSIBLE_SSH_PIPELINING=False
-/srv/web/infra/ansible/scripts/ansible-playbook-check-diff |& grep ok=
+ansible-playbook /srv/web/infra/ansible/master.yml --check --diff |& grep ok=
# Send a email with failed or changed from the above check/diff run
/srv/web/infra/ansible/scripts/logview -d today -s CHECK_DIFF:CHANGED
-s CHECK_DIFF:FAILED | mailx -s "ansible changed/failed actions from
check/diff daily run" sysadmin-logs-members(a)fedoraproject.org
9 years, 6 months
MM2/Ansible FAD (was FAS3/MM2 FAD)
by Paul W. Frields
As was discussed in a previous thread, the FAD was slightly
reorganized to continue to cover (1) MirrorManager 2 work, and (2)
based on available people, Ansible playbook migration. Thank you to
pingou and others for organization efforts and willingness to help!
mattdm gave his +1 for the FAD, and rsuehle has said she can support
the budget, with the caveat that we Red Hatters hold off expensing our
USA airfares until ~December 1, so they will hit the OSAS budget in
Red Hat's fiscal Q4. This is something we can handle administratively
within Red Hat, just noted here for transparency. If any of the
travelers don't know what this means, please contact me off-list and
I'll be glad to explain and help with planning.
If possible, I'll try to drive down for at least one day of the FAD
event, to see you guys and pitch in.
--
Paul W. Frields http://paul.frields.org/
gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233 5906 ACDB C937 BD11 3717
http://redhat.com/ - - - - http://pfrields.fedorapeople.org/
The open source story continues to grow: http://opensource.com
9 years, 6 months
package changes and comps
by Rahul Sundaram
Hi
Not sure whether fedmsg or something else can handle this but throwing it
out there if anyone is interested. I just split up a package which is
listed in comps.xml and it would have been quite easy to miss adding the
sub package (deja-dup-nautilus in this case) and new users wouldn't get the
nautilus extension. IIRC this happened with file-roller earlier.
Would it be feasible to check when spec file changes intro a new sub
package, verify that the package is listed in comps and send a note to the
package maintainer reminding them about potential changes they might need
to make in comps? Also when someone is introducing a new package, a
similar note would be useful
Rahul
9 years, 6 months
Plan for tomorrow's Fedora Infrastructure meeting (2014-10-16)
by Kevin Fenzi
The infrastructure team will be having it's weekly meeting tomorrow,
2014-10-16 at 18:00 UTC in #fedora-meeting on the freenode network.
Suggested topics:
#topic New folks introductions and Apprentice tasks.
If any new folks want to give a quick one line bio or any apprentices
would like to ask general questions, they can do so in this part of the
meeting. Don't be shy!
#topic Freeze reminder
Just a reminder that we are in Beta freeze.
#topic Applications status / discussion
Check in on status of our applications: pkgdb, fas, bodhi, koji,
community, voting, tagger, packager, dpsearch, etc.
If there's new releases, bugs we need to work around or things to note.
#topic Sysadmin status / discussion
Here we talk about sysadmin related happenings from the previous week,
or things that are upcoming.
#topic nagios/alerts recap
Here we go over the last weeks alerts and see if we can find ways to
make it so they don't happen again.
#topic Upcoming Tasks/Items
https://apps.fedoraproject.org/calendar/list/infrastructure/
#topic Open Floor
Submit your agenda items, as tickets in the trac instance and send a
note replying to this thread.
More info here:
https://fedoraproject.org/wiki/Infrastructure/Meetings#Meetings
Thanks
kevin
9 years, 6 months
Freeze Break: SSLv3
by Kevin Fenzi
There's been a vulnerability discovered in SSLv3 that basically allows
attackers to decrypt it. ;(
I would like to apply the following and disable it on our sites for now
until and unless we find a better solution in coming days.
Note that I am likely going to try and test the koji change in stg first
and might adjust it some.
I'll also likely apply this soon anyhow as it's a security issue,
but more eye's +1's welcome.
kevin
--
diff --git a/configs/httpd/websites/infrastructure.fedoraproject.org.conf b/configs/httpd/websites/infrastructur
index 2d8a8dc..2d197eb 100644
--- a/configs/httpd/websites/infrastructure.fedoraproject.org.conf
+++ b/configs/httpd/websites/infrastructure.fedoraproject.org.conf
@@ -56,7 +56,7 @@
# https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14
# If you change the protocols or cipher suites, you should probably update
# modules/squid/files/squid.conf-el6 too, to keep it in sync.
- SSLProtocol +SSLv3 +TLSv1
+ SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-EC
Include "conf.d/infrastructure.fedoraproject.org/*.conf"
diff --git a/configs/system/fedorapeople/people.conf b/configs/system/fedorapeople/people.conf
index 113321b..674f28a 100644
--- a/configs/system/fedorapeople/people.conf
+++ b/configs/system/fedorapeople/people.conf
@@ -36,7 +36,7 @@ NameVirtualHost [2610:28:3090:3001:5054:ff:fedb:7f5a]:443
SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2014.fedorapeople.org.intermediate.cert
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-EC
- SSLProtocol +SSLv3 +TLSv1
+ SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
Header add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
diff --git a/configs/system/planet/planet.conf b/configs/system/planet/planet.conf
index 0ee76fc..ed80bcc 100644
--- a/configs/system/planet/planet.conf
+++ b/configs/system/planet/planet.conf
@@ -47,7 +47,7 @@
SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2014.fedorapeople.org.intermediate.cert
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-
- SSLProtocol +SSLv3 +TLSv1
+ SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
DocumentRoot "/srv/planet/site/"
diff --git a/configs/web/fedorahosted.org.conf b/configs/web/fedorahosted.org.conf
index f3476c2..b5ac057 100644
--- a/configs/web/fedorahosted.org.conf
+++ b/configs/web/fedorahosted.org.conf
@@ -23,7 +23,7 @@ Listen 443
SSLCertificateChainFile /etc/httpd/conf.d/fedorahosted.org/wildcard-2014.fedorahosted.org.intermediate.cert
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-
- SSLProtocol +SSLv3 +TLSv1
+ SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
Header add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
diff --git a/configs/web/git.fedorahosted.org.conf b/configs/web/git.fedorahosted.org.conf
index bba8519..f670515 100644
--- a/configs/web/git.fedorahosted.org.conf
+++ b/configs/web/git.fedorahosted.org.conf
@@ -21,7 +21,7 @@ Alias /robots.txt /srv/web/fedorahosted.org/robots.txt
SSLCertificateChainFile /etc/httpd/conf.d/fedorahosted.org/wildcard-2014.fedorahosted.org.intermediate.cert
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-
- SSLProtocol +SSLv3 +TLSv1
+ SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
Alias /cgit-data /usr/share/cgit
ScriptAlias /cgit /var/www/cgi-bin/cgit
diff --git a/configs/web/koji-ssl.conf b/configs/web/koji-ssl.conf
index 93696c8..307e82d 100644
--- a/configs/web/koji-ssl.conf
+++ b/configs/web/koji-ssl.conf
@@ -97,7 +97,7 @@ SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
-SSLProtocol all -SSLv2
+SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
diff --git a/configs/web/pkgs.fedoraproject.org/lookaside-upload.conf b/configs/web/pkgs.fedoraproject.org/looka
index bf41146..bfb44d6 100644
--- a/configs/web/pkgs.fedoraproject.org/lookaside-upload.conf
+++ b/configs/web/pkgs.fedoraproject.org/lookaside-upload.conf
@@ -29,8 +29,7 @@ SSLCryptoDevice builtin
SSLCARevocationFile /etc/pki/tls/crl.pem
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-
- SSLProtocol +SSLv3 +TLSv1
-
+ SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
# Must be 'optional' everywhere in order to have POST operations work to upload.cgi
SSLVerifyClient optional
diff --git a/modules/httpd/templates/website.conf.erb b/modules/httpd/templates/website.conf.erb
index 668c090..817b5ef 100644
--- a/modules/httpd/templates/website.conf.erb
+++ b/modules/httpd/templates/website.conf.erb
@@ -42,7 +42,7 @@
# https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14
# If you change the protocols or cipher suites, you should probably update
# modules/squid/files/squid.conf-el6 too, to keep it in sync.
- SSLProtocol +SSLv3 +TLSv1
+ SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-EC
Include "conf.d/<%= name %>/*.conf"
diff --git a/modules/puppet/files/puppetmaster.conf b/modules/puppet/files/puppetmaster.conf
index 4294a14..08a6d3b 100644
--- a/modules/puppet/files/puppetmaster.conf
+++ b/modules/puppet/files/puppetmaster.conf
@@ -58,6 +58,7 @@ user apache
ServerName master.puppetmanaged.org
SSLEngine on
SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
+ SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
diff --git a/modules/squid/files/squid.conf-el6 b/modules/squid/files/squid.conf-el6
index 80b8e86..123af78 100644
--- a/modules/squid/files/squid.conf-el6
+++ b/modules/squid/files/squid.conf-el6
@@ -1,5 +1,5 @@
http_port 80 defaultsite=kojipkgs.fedoraproject.org
-https_port 443 defaultsite=kojipkgs.fedoraproject.org cert=/etc/pki/tls/certs/wildcard-2014.squid.cert key=/etc
+https_port 443 defaultsite=kojipkgs.fedoraproject.org cert=/etc/pki/tls/certs/wildcard-2014.squid.cert key=/etc
cache_peer 127.0.0.1 parent 8080 0 no-query originserver name=kojipkgs
hierarchy_stoplist cgi-bin ?
9 years, 6 months
Freeze Break request: RHEL 6.6
by Kevin Fenzi
Greetings.
In some kind of unfortunate timing, we went into freeze this morning
and also RHEL 6.6 was released. :) So, I would like to ask for a little
freeze break. ;)
I'd like to apply the update to all our RHEL6 machines and reboot those
that can be easily rebooted without an outage.
Reasoning:
* I would really very much like to update openssh on lockbox01 so we
can use control-persist and pipelining. It should make ansible runs a
great deal faster.
* I would like us to be up to date in the event a serious security
vulnerability arrives. So, we just need to apply the update instead
of applying all of rhel6.6 also.
* I would --exclude=python-zmq as we have had troubles with the rhel6
version from epel.
* We have typically had very little problem with minor release versions
of RHEL. Breakage for us has usually happened due to epel upgrades or
unrelated items.
* It's the very start of our freeze, so we should be able to clean up
any problems resulting before it disrupts the beta cycle any.
* I don't see any issues off hand that would affect us in the tech
notes for rhel 6.6.
Thoughts? +1s?
As a backup plan, I can just update lockbox01 to get the new openssh.
However, I really think we should just update them all to stay current.
kevin
9 years, 6 months
FAS3/MM2 FAD
by Pierre-Yves Chibon
Hi Everyone,
So here is where we are on the FAS3/MM2 FAD.
Location: Raleigh (airport: RDU)
Dates: December 2nd to December 9th
Divided in two parts
Dec 3rd to Dec 5th -> MirrorManager2
Dec 6th to Dec 8th -> FAS3
This way those interested in both topics can be present for the whole week, the
others can be present for only part of it.
Attendants (airport of origin):
pingou: TLS
Xavier: CDG
Patrick: AMS
Toshio: LAX ?
David: SEA
Ralph: ROC
Matt: HOU ?
Dennis: CHI ?
Kevin: DEN
Luke: DEN
Travel budget (Prices found on orbitz.com):
► Raleigh
TLS -> RDU => ~$957 - Delta
CDG -> RDU => ~$940 - American Airlines
AMS -> RDU => ~$692 - Delta
LAX -> RDU => ~$355 - Delta
SEA -> RDU => ~$510 - Delta
ROC -> RDU => ~$260 - Delta
CHI -> RDU => ~$230 - United Airlines
HOU -> RDU => ~$320 - Delta
DEN -> RDU => ~$295 - Delta
DEN -> RDU => ~$295 - Delta
------
$4854
TODO:
* Confirm location and dates with Matt
* Confirm location and dates with Toshio
-> I will email them
* Find hotel/housing (Paul any idea?)
* Find social events
* Submit budget to FPL for approval
* Book ticket
* Travel, hack and enjoy :)
Cheers,
Pierre
9 years, 6 months