We should really be backing this up before it begins to get used by
additional services. Also, since our newer deployment uses a
separate RDBMS, back that up safely.
Change-Id: I4510dd05204f4b0f450d1925ed7be148d7d73e6e
This is a new server for our Keycloak service. The previous one is
also removed by this change, since it did not have the correct CPU
flags to run the latest Keycloak container images. The problem which
necessitated this rebuild is addressed by an additional check to our
launch script in Ib0f482a939f94e801c82f3583e0a58dc4ca1f35c.
Depends-On: https://review.opendev.org/908608
Change-Id: I4a4a8cb629cbda430a113d61689c9d8ec15408b5
This includes a switch from the "legacy" style Wildfly-based image
to a new setup using Quarkus.
Because Keycloak maintainers consider H2 databases as a test/dev
only option, there are no good migration and upgrade paths short of
export/import data. Go ahead and change our deployment model to rely
on a proper RDBMS, run locally from a container on the same server.
Change-Id: I01f8045563e9f6db6168b92c5a868b8095c0d97b
The OpenInfra Labs pilot project was closed down by mutual agreement
of the OpenInfra Foundation and former project contributors[*]. Its
mailing list will no longer be used. Reject any future posts at the
MTA in order to avoid creating the backscatter which would result if
Mailman itself were configured to bounce messages or send notices.
[*] https://lists.opendev.org/archives/list/openinfralabs@lists.opendev.org/thread/FHFSNRS5ZOWW7LJCKSMXT3HVPMSTSUEA/
Change-Id: I40c1568928399e86ac4ab501040ded6874172243
This should have the side effect of removing the older smaller key from
gitea. This is now safe as we have just restarted gerrit to pick up new
configuration forcing it to replicate with the new key. We know it isn't
using the old key because we moved the old key aside during the restart.
This is being done so that the gitea 1.21 upgrade can be made without
disabling key verification in gitea.
Change-Id: I1bad1dda2adf32c5c01b8b5f134130d887d8ec06
We use a new larger rsa key so that gitea checks on key size don't fail
when we upgrade gitea to 1.21 or newer. We did consider an ed25519 key
isntead but those keys can only be generated in the new openssh key file
format and there is some question around whether or not Gerrit's
replication plugin (ultimately MINA ssh client) can read those files. To
be safe we stick with what we know works and simply increase the bit
count.
Change-Id: I51e97e8545a54202b05f32de70c0715083954119
The OpenInfra Foundation executive team is requesting creation of
new mailing lists on lists.openinfra.dev for the foundation's new
Asia hub. One list will have an open subscription policy and
publicly available archives, while the other will be utilized by the
advisory board for any sensitive topics that must be kept private.
Change-Id: Ie8b6b21b27dfaf932267266f644e7bd8c2f03981
This change refactors how gerrit's key(s) in gitea are managed. The
motivation behind this is to allow us to do key rotation with overlap in
accepted keys. To do this we first check whcih keys are present. Then
any missing keys are added. Finally we remove any keys which are not in
our key options.
This also corrects a bug where replacing keys would've required two
Ansible passed to delete the old key then add the new key. All keys
should be properly set in a single Ansible pass with this update.
Change-Id: I1eaf5ae89542e3e4f479c77e4df72a34d65d9c46
This project didn't proceed past the test phase,
let's clean it up.
Revert "Add a functional test for registry.zuul-ci.org"
This reverts commit e701fdd3ca.
Revert "Add testinfra for registry.zuul-ci.org"
This reverts commit e00f4e59b3.
Revert "Add static site for registry.zuul-ci.org"
This reverts commit 31b505d3ba.
Revert "Add SSL cert for registry.zuul-ci.org"
This reverts commit d0a8473d42.
Change-Id: I1d39306187c7b2d7a908389f88d1a60e1b29ffe3
Now that we no longer run a Mailman v2 server, we can drop all the
automation we used for deploying and maintaining it.
Change-Id: I522cdbef86d1fe491d446e4b721a7873564c927a
Now that the Mailman v3 migration is complete, we no longer need any
divergence between the lists01 (production) and lists99 (test node)
host vars, so put everything into the group vars file instead.
Change-Id: If92943694e95ef261fbd254eff65a51d8d3f7ce5
The OpenInfra Foundation executive team is requesting creation of
new mailing lists on lists.openinfra.dev for the foundation's new EU
hub. One list will have an open subscription policy and publicly
available archives, while the other will be utilized by the advisory
board for any sensitive topics that must be kept private.
Change-Id: I138bcdddd8b8feeb94adb71f0ba5e03d8c809e20
Clean up references to lists.openstack.org other than as a virtual
host on the new lists01.opendev.org Mailman v3 server. Update a few
stale references to the old openstack-infra mailing list (and
accompanying stale references to the OpenStack Foundation and
OpenStack Infra team). Update our mailing list service documentation
to reflect the new system rather than the old one. Once this change
merges, we can create an archival image of the old server and delete
it (as well as removing it from our emergency skip list for
Ansible).
Side note, the lists.openstack.org server will be 11.5 years old on
November 1, created 2012-05-01 21:14:53 UTC. Farewell, old friend!
Change-Id: I54eddbaaddc7c88bdea8a1dbc88f27108c223239
We've been trying to get this to deploy automatically without much
success due to a couple of unrelated errors. The most recent appears to
possibly be an ansible issue within ansible itself (eg not our
playbooks). Land a noop change to retrigger things and see if this is
consistent or not.
Change-Id: Iaf0aa14a82fb7d0a2b61a5138c7435d3eda21a3e
Fix the infra-prod-service-lists3 job to trigger when we update the
mailman3.yaml group vars file. In addition we make a noop reorganization
change to the mailman3 group file to group exim vars together which will
be used to ensure that this change triggers the lists3 job as expected.
In system-config-run-lists3 we update that job to be triggered when we
update the docker images for mailman. We don't bother testing this now
as that would be masked off by the update to the mailman3 groups file.
But in the future when we do mailman3 image updates we'll be looking for
this job to run.
Change-Id: I994b0a79bf46f525dd9e059719f5a08c9c390b8c
In Ic1156849957bc326e9216c2aca0ab9d180e158e6 we added a temporary
router named mailman_copy to dump raw messages for the
openstack-discuss mailing list to an mbox file at
/var/mail/openstack-discuss in order to be able to compare
pre-Mailman state of messages for DKIM signature debugging. Since
this file doesn't exist and Exim lacks permission to create it, the
resulting router errors are leading to message deferrals for the
openstack-discuss mailing list.
Rather than add Ansible to create the mbox file for this, just drop
the router and accompanying transport definitions from our Exim
config. We can always set it up more thoroughly in the future if we
ever want to re-add it.
Change-Id: If4f6c7b90b7b312b23a7736251f704dace668879
This uncomments the list additions for the lists.openstack.org site
on the new mailman server, and should be merged the day of the
maintenance prior to the start of the scheduled outage window.
Separately removing configuration from the old server is
unnecessary, as there will be a cleanup change merged after the
maintenance window to remove all files associated with it and clear
it out of our inventory in preparation for archival imaging and
deletion (the old server will have its services disabled and be kept
in our emergency skip list for Ansible until that happens).
Change-Id: I1f6d3c8dfcb2bb98fa5b93bcc2f4a13927c55047
As part of the transition from the Nordix group to OpenInfra Europe,
some systems and services will remain under the Nordix name for now.
The people managing these resources need a mailing list to better
coordinate their activities.
Change-Id: I03b679b4d5f57b1953e1815555b79caf5b6452ff
On Mailman v2 the "mailman" addresses were mapped to special mailing
lists used for monthly password notifications and some other tasks.
This does not exist on Mailman v3, but spammers still have the old
mailman list addresses and send junk to them, which the server
attempts to deliver because there's a local user account with the
same name.
Reject messages for the old "mailman" addresses at receipt, so they
never enter our message queue.
Change-Id: I9db93ae98f4b3952400c1e478612ab70a6241dd1
This uncomments the list additions for the lists.openinfra.dev and
lists.starlingx.io sites on the new mailman server, removing the
configuration for them from the lists.openstack.org server and also
cleaning up some benign entries which were missed in the previous
migration change. With this, the old server should only be hosting
specifically lists.openstack.org mailing lists.
Change-Id: I1e2d332cd4addb8970a3759157bbeceddd77ea95
This uncomments the list additions for the lists.airshipit.org and
lists.katacontainers.io sites on the new mailman server, removing
the configuration for them from the lists.opendev.org server and, in
the case of the latter, removing all our configuration management
for the server as it was the only site hosted there.
Change-Id: Ic1c735469583e922313797f709182f960e691efc
This server has been replaced by insecure-ci-registry02. Remove it. This
will allow us to delete the server as well.
Change-Id: I4d9bc6ab90b13655ace2edf4a6fa7c362623c010
This adds a second registry host. We will remove the other once we've
cut over successfully (should just depend on a DNS update).
Depends-On: https://review.opendev.org/c/opendev/zone-opendev.org/+/886874
Change-Id: Ib6be5ef242ed038c23e0007488f2c21ce10f4fcb