CI-users

ci-users@lists.centos.org

416 discussions

auth switch status update : OCP/Openshift is using new auth source for oauth2
by Fabian Arrotin 06 Apr '21

06 Apr '21

Hi all, Just to quickly let you know that console-openshift-console.apps.ocp.ci.centos.org was switched to point to new oauth2 settings. So please try to login with "CentOS_and_Fedora_account", that is pointing to new id.centos.org, itself now using (Free)IPA backend that is is the common/merged one between Fedora and CentOS. Reminder : if your account wasn't existing in FAS and so just imported from ACO, you have first to reset your password through new portal https://accounts.centos.org (or https://accounts.fedoraproject.org, as it's the same backend, same settings, just different visual them). Verify your group membership and/or projects ACLs in openshift, and if you have troubles, create ticket on https://pagure.io/centos-infra/issues so that Vipul and David can have a look and eventually correct things (if you have a new email address or nickname from your FAS/ACO merged account) Cheers, -- Fabian Arrotin The CentOS Project | https://www.centos.org gpg key: 17F3B7A1 | twitter: @arrfab

1 0

Fedora/CentOS authentication merge : please read
by Fabian Arrotin 27 Mar '21

27 Mar '21

Hi All ! As announced multiple times (including but not limited to https://lists.centos.org/pipermail/centos-devel/2021-February/076442.html), Fedora and CentOS will merge authentication soon. It was already merged for Staging environment, where SIGs contributors could test things and now it's time to really merge https://accounts.centos.org and https://admin.fedoraproject.org/accounts on the new system. Let me point you first to the mail sent to Fedora so please read it first to have a little bit of background/history : https://lists.fedoraproject.org/archives/list/announce@lists.fedoraproject.… As you can see, the Fedora migration will happen next week. Based on current timeline and agenda, we'll proceed like this for the CentOS migration : * Friday April 2nd : * We'll "freeze" https://accounts.centos.org in Read-only mode * Fedora infra team launches the fas2ipa script to import centos users/groups not existing (yet) in new IPA setup (if you had a fedora account matching your account in accounts.centos.org, you'll not be imported again, but rather be added to your imported centos groups - so merged -) * Monday April 5th * quick sanity check for the import script result and some internal checks, then * Real CentOS infra authentication switch : it's hard to give a timeline but we'll start with https://cbs.centos.org (I'll announce downtime in separate mail when we'll have full agenda) and then proceed with the other services. How will you be impacted ? If you use any kind of service authenticated by either TLS cert from https://accounts.centos.org (that's the case for cbs.centos.org, or mqtt notifications), you'll *have* to retrieve a new cert. (more information in the SIGGuide will appear on due time. Same for services using authentication tied to https://accounts.centos.org through https://id.centos.org (for openid/openidc, etc) So this mail doesn't contain all the information for how to retrieve new TLS cert, how to reset password, etc but more to give you the date when we'll have smallest possible downtime while reconfiguring system to switch to new authentication (FWIW, all changes were automated through ansible for our staging environment, so we'll just reapply same process for the production one) Have a nice week-end ! -- Fabian Arrotin (all excited to finally see this project arriving at deploy time) :) The CentOS Project | https://www.centos.org gpg key: 17F3B7A1 | twitter: @arrfab

1 2

Legacy Openshift cluster (3.6) shut down announcement
by Vipul Siddharth 26 Feb '21

26 Feb '21

Hi All, Last year we announced a new OCP4 cluster deployment with a request to migrate workloads to it (from openshift 3.6). I have been working with a few projects to help migrate and have received good feedback. On March 1st 1200 UTC, we will shut down the legacy cluster. If you have a job running there, please open a ticket on our tracker[0] so that we can work with you to migrate them on time. [0] https://pagure.io/centos-infra/new_issue?template=ci-migration Thank You -- Vipul Siddharth He/His/Him Fedora | CentOS CI Infrastructure Team

1 2

ci.centos.org Jenkins plugin update
by Vipul Siddharth 24 Feb '21

24 Feb '21

Hi All, There is a security update coming today in jenkins. I will update the ci.centos.org jenkins plugins (and other instances that I maintain) as the severity is High (check [0]) I will disable jobs execution at 2pm UTC today and update+restart at 2:30-3 pm UTC All jobs requested will be queued in that period. If you have a jenkins instance, please consider doing the same. Thank You [0] https://groups.google.com/d/topic/jenkinsci-advisories/sEeqkNwz5IQ -- Vipul Siddharth He/His/Him Fedora | CentOS CI Infrastructure Team

1 0

IBM Power ppc64 (Big-Endian) usage survey
by Fabian Arrotin 04 Feb '21

04 Feb '21

Hi all, We seem to have issue with an IBM Power 8 used within CI and so we have to re-balance CI nodes that you can request through Duffy API for ppc64/ppc64le. My question sounds more like a survey : I think that most (if not all) CI projects actually still building (and testing in CI) just target the ppc64le architecture (Little Endian) and so not the ppc64 (Big Endian) one. We'd like to hear from you and depending on the needs, we can eventually drop ppc64 architecture for CI tests, and so have more (re-balanced) ppc64le resources . Opinions ? -- Fabian Arrotin The CentOS Project | https://www.centos.org gpg key: 17F3B7A1 | twitter: @arrfab

1 1

Updating ci.centos.org jenkins
by Vipul Siddharth 27 Jan '21

27 Jan '21

Hi All, Just wanted to inform you that today at 1330 UTC, I will be updating ci.centos.org jenkins to version 2.263.2 to catch up with new CVE/vulnerabilities fixes. If you are using a namespace in Openshift cluster, please consider updating your jenkins version as well. -- Vipul Siddharth He/His/Him Fedora | CentOS CI Infrastructure Team

1 0

Fwd: [CentOS-devel] CentOS/Fedora authentication system merge (Please Read)
by Fabian Arrotin 27 Jan '21

27 Jan '21

Sending it here too, but ideally if you have questions/comments, that would be better to join the thread on centos-devel list. Thanks ! -------- Forwarded Message -------- Subject: [CentOS-devel] CentOS/Fedora authentication system merge (Please Read) Date: Wed, 27 Jan 2021 08:58:13 +0100 From: Fabian Arrotin <arrfab(a)centos.org> Reply-To: The CentOS developers mailing list. <centos-devel(a)centos.org> To: The CentOS developers mailing list. <centos-devel(a)centos.org> # Introduction and background As it was preannounced some time ago , the CentOS Board agreed to merge the CentOS accounts (https://accounts.centos.org) with the Fedora FAS (https://admin.fedoraproject.org/accounts/) As both projects were running their own instance of FAS (running on el6/CentOS 6, so coming to EOL, so that needed to be migrated to new solution/platform), but that there are a lot of contributors common to both projects, it made sense to "migrate and merge" both into one, and so having only one account that can be used for both. The AAA/Noggin team worked in the last months on the new authentication system that will be used as foundation. The core block will be (Free)IPA (https://www.freeipa.org , already available in the distribution) and the community portal feature will be provided by noggin (https://github.com/fedora-infra/noggin) If you want to know more about noggin, consider watching the presentation given at last Fedora Nest event (https://www.youtube.com/watch?v=x1SevUmkE60) # What does it mean for you, contributors and SIG members ? Fedora already had an IPA infra, but "hidden" behind FAS, so accounts were already created in IPA backend. For CentOS, we were just using plain FAS, so users in our own backend (fas db). The "Merge" operation will go like this : - Fedora will kick fas2ipa script (https://github.com/fedora-infra/fas2ipa), synchronizing FAS attributes back into IPA, including group memberships coming from FAS/Fedora - Then the same process will be ran but importing from ACO (https://accounts.centos.org) into the same IPA backend. That's where the "fun" begins: * If the same nick/account exists at both side, the script is considering FAS as authoritative (remember, the FAS user *already* exists there, and is only modified for group[s] membership and attributes) * What is used to consider same nick/account being the same person ? the email (validated when registering account) will be used as primary key. So that means that you should *now* verify/update your email address in FAS and ACO so that they match * in case of a email address mismatch, the ACO account isn't migrated (group membership) but put in a queue to be verified * in case of matching email address, existing account is added to imported ACO groups The "open" question is about what to do for same account but in fact being different people (question is debated between Fedora and CentOS through the AAA initiative) # What has been already done ? You can follow publicly the status through dedicated tracker ( https://github.com/orgs/fedora-infra/projects/6 ), but let me focus on the CentOS Side (sending this to centos-devel so centos contributors) In the last months, Fedora already deployed a staging (.stg.) IPA instance, as well as a noggin community portal. For CentOS, we deployed (to be able to test integration) the following components in front of the Fedora IPA: * https://accounts.stg.centos.org (using noggin, with a centos visual theme applied) * https://id.stg.centos.org (ipsilon, used for openid/openidc IdP) We then reached out to some "key users" to validate that some applications migrated to new authentication system were working fine. We tested with : * pagure (https://git.stg.centos.org) * koji * openshift/OCP * some other apps using openid In December 2020, there was a first ran of the fas2ipa script, so (consider this a snapshot) existing accounts in both FAS and ACO were merged. >From that import, there were 123 accounts that were duplicates ones, but as said, it can be that they are the same account but using different email addresses. # What do you have to do ? You can try to login through https://accounts.stg.centos.org and see if you can login. Important remark: if you *didn't* have a FAS account , your account was imported/created for the first time in IPA, so that means that you'll have to use the "Forgot Password ?" feature on portal to reset your account (mail will be sent to email address tied to your account) # When will the real migration happen ? We'll wait on AAA/noggin team to give us estimated date, and when they'll migrate Fedora first. Once that will be done, we'll migrate ACO to the new setup (probably fas2ipa script ran during a week-end, but to be announced) # How will that impact my workflow for CentOS as SIG member ? Worth knowing that all deployed services using ACO will have to be reconfigured for AAA. That currently means : * https://git.centos.org (and also the MQTT bus for git push notifications) * https://cbs.centos.org (and also non public signing service) * other small services using OpenID/OpenIDC for authentication (https://blog.centos.org, some jenkins instances used by QA team, etc) As said, we have already staged all changes to support new auth in our ansible roles. When we'll have rolled out these changes, your existing TLS certificate that you use to authenticate with for cbs.centos.org *will not* work anymore (important) That means that you'll have to retrieve a new TLS cert, signed by the IPA CA cert. How to do that ? I'll see about how porting this to know repository, but for now, there is a copr repo that you can use : https://copr.fedorainfracloud.org/coprs/arrfab/fasjson-client/ IMPORTANT : do *not* use this pkg now, or do this from another workstation/vm/account/whatever : the new 'centos-cert' util would replace your currently working TLS cert (from ACO) . (Well, as fasjson for prod *isn't* deployed yet, that would not work at all, but it would when deployed If you have questions, feel free to ask in this thread, or join #fedora-aaa on Freenode. -- Fabian Arrotin The CentOS Project | https://www.centos.org gpg key: 17F3B7A1 | twitter: @arrfab _______________________________________________ CentOS-devel mailing list CentOS-devel(a)centos.org https://lists.centos.org/mailman/listinfo/centos-devel

1 0

Problem with parametrized jobs and URLTrigger
by Alfredo Moralejo Alonso 21 Dec '20

21 Dec '20

Hi, We are hitting some strange issue in some of the CloudSIG jobs since october, 5th. We have some parameterized jobs triggered by URLTrigger [1]. Until a couple of days ago, those jobs were executed with default values for each parameter [2] but now, when the job is triggered by URLTrigger the parameters are not passed at all to the job [3]. If i use "Build with parameters" manually, the job runs fine using default values. Is anyone hitting similar issues? any hint of what may be the problem? [1] https://ci.centos.org/view/rdo/view/weirdo-pipelines/view/weirdo-promote-te… [2] https://ci.centos.org/view/rdo/view/weirdo-pipelines/view/weirdo-promote-te… [3] https://ci.centos.org/view/rdo/view/weirdo-pipelines/view/weirdo-promote-te… Best regards, Alfredo

3 7

ci.centos.org jenkins update
by Vipul Siddharth 18 Dec '20

18 Dec '20

Hi folks, We are planning to update all the plugins (compatible) installed on ci.centos.org jenkins instance. I will do it tomorrow morning (Dec 18th) at 9am UTC. I will start preparing for shutdown then and all the jobs triggered post that will go in the queue until the instance has updated the plugin and restarted. I would also like to open a question to you all who are using OCP4 cluster. How would you want to manage Jenkins update for your namespace? There are multiple ways from them being auto updated whenever we update the cluster (this is by default that we use), time'd/self trigger updates, or updates on change in tags. I am interested in hearing your thoughts. Thank you -- Vipul Siddharth He/His/Him Fedora | CentOS CI Infrastructure Team

2 1

[infra] Announced outage : hardware maintenance for network in main DC
by Fabian Arrotin 10 Nov '20

10 Nov '20

Due to some network switches upgrade in the DC hosting some community projects (including but not limited to CentOS), we'll have a large majority of our infra not reachable. Migration is scheduled for """"Tuesday November 10th, 2:00 am UTC time"""". You can convert to local time with $(date -d '2020-11-10 14:00 UTC') We unfortunately can't announce/give you any expected downtime as it can last for several hours (info I received through invite) but we'll try to restore all services/connectivity as soon as possible. Impacted services in that DC : - *all* Non impacted services (easier to just mention short list of things not in that DC, so items not listed below *will* be down) : - https://www.centos.org - https://forums.centos.org - https://lists.centos.org - mirrorlist.centos.org -- Fabian Arrotin The CentOS Project | https://www.centos.org gpg key: 17F3B7A1 | twitter: @arrfab

2 3

← Newer
1
...
5
6
7
8
9
10
11
...
42
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

CI-users