Please carefully review the changelog:
https://github.com/go-gitea/gitea/blob/v1.17.1/CHANGELOG.md
and ensure that we've properly addressed the items listed there.
I have listed the breaking changes list here and any actions we've taken
or justification for why they don't affect us:
* Require go1.18 for Gitea 1.17 (#19918)
We were already using go 1.18.
* Make AppDataPath absolute against the AppWorkPath if it is not (#19815)
Path is already absolute:
playbooks/roles/gitea/templates/app.ini.j2:APP_DATA_PATH = /data/gitea
* Nuke the incorrect permission report on /api/v1/notifications (#19761)
This has to do with how that api endpoint returns permissions. We
don't use this anywhere as far as I can tell.
* Refactor git module, make Gitea use internal git config (#19732)
In the gitea container /data/git/.gitconfig is present but we don't
appear to manage this in system-config. I think that means this
change is a noop for us as gitea will move its managed .gitconfig
from /data/git/.gitconfig to /data/git/repositories/.gitconfig.
I expect the contents to be the same since gitea must be managing
the file old content today.
* Remove RequireHighlightJS field, update plantuml example. (#19615)
This was a flag that toggled syntax highlighting on and off as best
as I can tell. The default is to just have it turned on and we don't
check the flag in any of our templates.
* Increase minimal required git version to 2.0 (#19577)
Debian Bullseye ships with 2.30.2-1.
* Add a directory prefix gitea-src-VERSION to release-tar-file (#19396)
They were tarbombing people and their tarballs extracted into the
current dir. They now no longer do that. We build from git so this
doesn't affect us.
* Use "main" as default branch name (#19354)
We explicitly set the default branch name to master for both gitea and
gerrit. This should be a noop for us. Testing has been added to check
this.
https://opendev.org/opendev/system-config/src/branch/master/playbooks/roles/gitea-git-repos/library/gitea_create_repos.py#L129-L132https://opendev.org/opendev/jeepyb/src/branch/master/jeepyb/cmd/manage_projects.py#L488
* Make cron task no notice on success (#19221)
I'm not aware of us relying on any cron tasks or any cron task
notifications.
* Add pam account authorization check (#19040)
We don't integrate with pam so the change in behavior to check
authorization does not affect us.
* Show messages for users if the ROOT_URL is wrong, show JavaScript errors (#18971)
This message shows up in CI because ROOT_URL is https://opendev.org
but we access gitea in testing via localhost. I don't think this
is worth fixing. Its a good reminder that the instance is a test
instance.
* Refactor mirror code & fix StartToMirror (#18904)
We don't mirror repos with gitea. Should be a noop for us.
* Remove deprecated SSH ciphers from default (#18697)
hmac-sha1-96, diffie-hellman-group1-sha1, and arcfour{128,256} are
removed. The only ssh user is gerrit's replication. MINA should
be able to support more modern ciphers and be fine.
* Add the possibility to allow the user to have a favicon which differs from the main logo (#18542)
Previously, logo.svg was used as the favicon.svg and gitea only fell
back to favicon.png if the browser couldn't so the .svg. But now they
want to support users having different logo.svg and favicon.svg. This
necessitates explicitly adding a favicon.svg. Something we already do.
Details at https://github.com/go-gitea/gitea/pull/18542
* Update reserved usernames list (#18438)
This shouldn't be a problem for us as we don't have regular users and
gerrit is not a reserved name.
* Support custom ACME provider (#18340)
We run ACME with LE out of band. This doesn't affect us.
* Change initial TrustModel to committer (#18335)
This changes the signed commits trust model from collaborator
to committer. THis won't affect us as we aren't maintaining trusted
keys. But basically this now shows if the signed commit by the
committer matches the committer's key.
* Update HTTP status codes (#18063)
This changed redirect HTTP codes from 302 to 307. Shouldn't
affect us.
* Upgrade Alpine from 3.13 to 3.15 (#18050)
We build on Debian and not alpine. The alpine nodejs version did
change from 14 to 16 in this change and we've updated to match.
* Restrict email address validation (#17688)
If we had real users this may pose a problem as they are limiting
the set of emails gitea would accept to a smaller set than they
accepted before. Also fewer than actually allowed by email. But
we don't have real users so this should be fine.
* Refactor Router Logger (#17308)
This streamlines and improves the log format of some of the gitea
logs. We aren't automatically processing these logs today so this
shouldn't have a major impact on us.
Additionally this release adds a new git.HOME_PATH setting to set the
location for writing out git configs and potential gnupg configs. We
should be fine to let gitea write this content out to the default path,
but there is potential for this to impact our ssh daemon.
Changes made include:
* Minimal updates to web templates to match 1.17
* Updating nodejs to v16 as v14 failed to build gitea
* Disabling the new enabled by default "packages" feature
* New test to check repos have a master branch by default instead of
Gitea's new default of main.
Change-Id: I88105eccd118e3daca72f0b86a6b351c35e37413
This is the latest 1.1.18 release, and from the changelog there
doesn't seem to be anything important we need to take into account
from 1.1.14.
Just as a note the 1.2 series is released, but this requires much more
thought when updating.
Change-Id: I949c40e9046008d4f442b322a267ce0c967a99dc
Keeping the testing nodes at the other end of the namespace separates
them from production hosts. This one isn't really referencing itself
in testing like many others, but move it anyway.
Change-Id: I2130829a5f913f8c7ecd8b8dfd0a11da3ce245a9
This is rather different to all our existing testing, probably because
it was just written earlier.
Convert this all to curl calls like everything else. Don't use direct
IP addresses, but use the hostnames. Drop the --insecure flags as the
certificates cover the hostnames now. Also drop the separate ipv6
testing as some hosts don't have ipv6; what we are really interested
in is if the apache config is responding correctly, not the test node
networking setup.
Change-Id: I489055e89bfd8dd05487985dd408767b870c3980
Currently we define the letsencrypt certs for each host in its
individual host variables.
With recent work we have a trusted CA and SAN names setup in
our testing environment; introducing the possibility that we could
accidentally reference the production host during testing (both have
valid certs, as far as the testing hosts are concerned).
To avoid this, we can use our naming scheme to move our testing hosts
to "99" and avoid collision with the production hosts. As a bonus,
this really makes you think more about your group/host split to get
things right and keep the environment as abstract as possible.
One example of this is that with letsencrypt certificates defined in
host vars, testing and production need to use the same hostname to get
the right certificates created. Really, this should be group-level
information so it applies equally to host01 and host99. To cover
"hostXX.opendev.org" as a SAN we can include the inventory_hostname in
the group variables.
This updates one of the more tricky hosts, static, as a proof of
concept. We rename the handlers to be generic, and update the testing
targets.
Change-Id: Id98768e29a06cebaf645eb75b39e4dc5adb8830d
This explicitly tests connection through the load-balancer to the
gitea backend to ensure correct operation.
Additionally, it adds a check of the haproxy output to make sure the
back-ends are active (that's the srv_op_state field, c.f. [1])
[1] http://docs.haproxy.org/2.6/management.html#9.3-show%20servers%20state
Change-Id: Ia896134d6a9b6951acebfbf8b0b32a7ef8b87777
Move the paste testing server to paste99 to distinguish it in testing
from the actual production paste service. Since we have certificates
setup now, we can directly test against "paste99.opendev.org",
removing the insecure flags to various calls.
Change-Id: Ifd5e270604102806736dffa86dff2bf8b23799c5
For the past six months, all our mailing list sites have supported
HTTPS without incident. The main downside to the current
implementation is that Mailman itself writes some URLs with an
explicit scheme, causing people submitting forms from pages served
over HTTPS to get warnings because the forms are posting to plain
HTTP URLs for the same site. In order to correct this, we need to
tell Mailman to put https:// instead of http:// into these, but
doing so essentially eliminates any reason for us to continue
serving content over plain HTTP anyway.
Configure the default URL scheme of all our Mailman sites to use
HTTPS now, and set up permanent redirects from HTTP to HTTPS, per
the examples in the project's documentation:
https://wiki.list.org/DOC/4.27%20Securing%20Mailman%27s%20web%20GUI%20by%20using%20Secure%20HTTP-SSL%20%28HTTPS%29
Also update our testinfra functions to validate the blanket
redirects and perform all other testing over HTTPS.
Once this merges, the fix_url script will need to be run manually
against all lists for the current sites, as noted in that document.
Change-Id: I366bc915685fb47ef723f29d16211a2550e02e34
This moves the gitea partial clone test from our setup playbook into
testinfra/test_gitea.py. We should avoid asserting too much state and
behavior in the ansible as it makes the split between testinfra and
ansible more confusing. To address this we move this behavior check into
testinfra where it belongs.
Change-Id: I6a649bc380f850425c51e9b4632c798a23ab0e0e
When we migrated this to ansible I missed that we didn't bring across
the storage-aggregation.conf file.
This has had the unfortunate effect of regressing the xFilesFactor set
for every newly created graphite stat since the migration. This
setting is a percentage (0-1 float) of how much of a "bucket" needs to
be non-null to keep the value when rolling up changes. We want this
to be zero due to the sporadic nature of data (see the original change
I5f416e798e7abedfde776c9571b6fc8cea5f3a33).
This only affected newly created statistics, as graphite doesn't
modify this setting once it creates the whisper file. This probably
helped us overlook this for so long, as longer-existing stats were
operating correctly, but newer were dropping data when zoomed out.
Restore this setting, and double-check it in testinfra for the future.
For simplicity and to get this back to the prior state I will manually
update the on-disk .wsp files to this when this change applies.
Change-Id: I57873403c4ca9783b1851ba83bfba038f4b90715
Over a few upgrades, we've managed to break some of the default avatar
logos you see when browsing code on opendev.org.
After investigating ways to fix this up, we established that there
isn't an exposed API for setting these, but we can do a simple query
to point to logo files on disk. This implements that.
One caveat is that the logos should be PNG files; particiularly we
note that SVG files don't work reliably because they don't get served
with the image/svg+xml mime-type.
Change-Id: Ie6799de2fb27e09f936c488258dc1bd1c638c370
The dependent change enables the "detect-ref" option of hound, which
looks at the remote origin HEAD and indexes on that. That should
allow indexing of our mixed repos that have a mix of "master" and
"main".
Add cirros to the test, which should exercise this path, and take some
screenshosts because this a js/react app and just a "curl" doesn't
help.
Change-Id: I1850577c63566b594f9730f5b8f0bc10b07ff7e4
Depends-On: https://review.opendev.org/c/opendev/jeepyb/+/830919
Once restarted onto the parent change, our Gerrit deployment will no
longer link to Gitiles representations of changes or the Git tree.
Explicitly deny access to the Gitiles URL base path in the Apache
vhost config, since we can't effectively remove the plugin itself.
This should help prevent search engines from finding its copies of
our projects rather than the ones we want people to use in Gitea.
Change-Id: I3c96221256662443f7a43344afd12194dce82b9d
These two apt.conf.d config files are installed by different packages
but have overlap in the configuration they set. Unfortunately if the
wrong one sets the flag to disable periodic updates it wins based on apt
conf's priority rules.
To ensure that we continue to auto update and handle different packages
supplying different config files we manage the entirety of the periodic
config in both of these files at the same time using a common source
file.
Change-Id: I5e408fd7c343adb1de9ec564fe430a6f31ecc360
This file has been seen on a few servers with the Unattended-Upgrades
flag set to 0 disabling daily unattended upgrades. Most of our servers
have this set to 1 and are fine, but let's go ahead and manage this file
directly to ensure it is always 1 and auto upgrades are enabled.
Note that previously we had been setting this via apt.conf.d/10periodic
which seems to come from the update-notifier-common package on older
systems and is now no longer used. Since that file's prefix is smaller
than 20auto-upgrades the 20auto-ugprades file installed by
unattended-upgrades overrides this value. A future update would be to
coalesce both 10periodic and 20auto-upgrades together into one config
file.
Change-Id: Ic0bdaaf881780072fda7e60ff89b60b3a07b5804
While the staff mailing list is hidden and private in production,
that configuration is set after creation, so in our deployment tests
we can absolutely verify that HTTP and HTTPS redirects for listinfo
and archives work anyway. This paves the way for any further
rewrites and associated testing we may need to do for other mailing
lists which move between domains, as well as testing redirects we
may set up as part of the v2 to v3 migration.
Change-Id: I68078554a72e3b59d8192ac4339e8654a8351f52
Add secondary vhosts for HTTPS to each mailman site, but don't
remove the plain HTTP ones for now. Before switching to Mailman 3
we'll replace the current HTTP vhosts with blanket redirects to
HTTPS.
Add tests to make sure this is working, and also add a command-line
test for the lists.openinfra.dev site now that it's got a first
non-default list of its own. Also collect Apache logs from the test
nodes so we can see for sure what might break.
Change-Id: I4d93d643381f17c9a968595587909f0ba3dd6f92
Once the staff mailing list has been migrated to its new Mailman
site, merge this in order to forward posts destined for its old
address to the new one.
Add a test to make sure domain aliases are bein written as expected.
Change-Id: I5fea8e9ee6460417283c0ed7339d0dd447b2ff63
This attempts to exercise our firewall rules externally via the bridge
host in our testinfra testing. If we like this style of rule we can add
a number of tests for various firewall behaviors that we want to ensure.
Change-Id: I4ee63bc6f15af9b68fc1c690c5d92f4bf9c756c3
Our deployment tests don't need to send E-mail messages. More to the
point, they may perform actions which would like to send E-mail
messages. Make sure, at the network level, they'll be prevented from
doing so. Also allow all connections to egress from the loopback
interface, so that services like mailman can connect to the Exim MTA
on localhost.
Add new rolevars for egress rules to support this, and also fix up
some missing related vars in the iptables role's documentation.
Change-Id: If4acd2d3d543933ed1e00156cc83fe3a270612bd
Some extra steps are needed to use keycloak with a reverse proxy.
This adjusts the apache config to send the required headers and
the keycloak server config to use them.
Since the openid configuration json page is constructed entirely
from these headers (and not from static configuration), this is
a good test that the entire system is working.
Change-Id: I662dc85836d640cb732f12f39e9a61607767fcf3
This adds a keycloak server so we can start experimenting with it.
It's based on the docker-compose file Matthieu made for Zuul
(see https://review.opendev.org/819745 )
We should be able to configure a realm and federate with openstackid
and other providers as described in the opendev auth spec. However,
I am unable to test federation with openstackid due its inability to
configure an oauth app at "localhost". Therefore, we will need an
actual deployed system to test it. This should allow us to do so.
It will also allow use to connect realms to the newly available
Zuul admin api on opendev.
It should be possible to configure the realm the way we want, then
export its configuration into a JSON file and then have our playbooks
or the docker-compose file import it. That would allow us to drive
change to the configuration of the system through code review. Because
of the above limitation with openstackid, I think we should regard the
current implementation as experimental. Once we have a realm
configuration that we like (which we will create using the GUI), we
can chose to either continue to maintain the config with the GUI and
appropriate file backups, or switch to a gitops model based on an
export.
My understanding is that all the data (realms configuration and session)
are kept in an H2 database. This is probably sufficient for now and even
production use with Zuul, but we should probably switch to mariadb before
any heavy (eg gerrit, etc) production use.
This is a partial implementation of https://docs.opendev.org/opendev/infra-specs/latest/specs/central-auth.html
We can re-deploy with a new domain when it exists.
Change-Id: I2e069b1b220dbd3e0a5754ac094c2b296c141753
Co-Authored-By: Matthieu Huin <mhuin@redhat.com>
Ansible Galaxy indexes tarballs of Ansible roles and collections at
a central site, which in turn points to a dedicated Amazon S3
subdomain. The tools which consume it support overriding the default
Galaxy URL with any arbitrary one, so should be able to take
advantage of this in CI jobs.
Change-Id: Ib5664e5588f7237a19a2cdb6eec3109452e8a107
This is a re-implementation of
I195ebee548071b0b89bd5bf64b251595271178ca that puts 9-stream in a
separate AFS volume
(Note the automated volume name "mirror.centos-stream" comes just
short of the limit)
Change-Id: I483c2982a6931e7d6fc97ab82f7750b72d2ef265
Previous change If91f79a4648920999de8e6bf6e0c9fec82fde233 replaced
one of the instances of yaml.load() in this file with safe_load() in
order to silence what were then warnings. Now they're errors with
current PyYAML, so go ahead and update the other one.
Change-Id: If9f839f60cd71be8be141423ef2b93884d8aeba7
Previously we had set up the test gerrit instance to use the same
hostname as production: review02.opendev.org. This causes some confusion
as we have to override settings specifically for testing like a reduced
heap size, but then also copy settings from the prod host vars as we
override the host vars entirely. Using a new hostname allows us to use a
different set of host vars with unique values reducing confusion.
Change-Id: I4b95bbe1bde29228164a66f2d3b648062423e294
The dependent change exports the ptgbot website on port 8000 in the
container. Proxy this through apache.
Depends-On: https://review.opendev.org/c/openstack/ptgbot/+/812417
Change-Id: Idf9e9f5ffad981427d24a3476c0c1f244721d917
Dockerfile's COPY directive only copies the contents of a directory when
src is a directory. It does not copy the directory itself. This meant
the copy we were using to copy static files put them in /var/gerrit and
not /var/gerrit/static where we need them to be.
Update the Dockerfile to copy to /var/gerrit/static/ to fix this and add
some resource fetching tests to ensure they are served correctly.
Change-Id: I3bb4c06f3d7a57dcfccbbdb27cb8405586949949
In order to avoid unnecessary browser requests to other sites,
install a copy of the OpenDev logo on the Lodgeit server and serve
it from there rather than pointing at one served from Gitea.
Change-Id: I4c3678a1de8ca4a41cd0c64aab71b2e0e25373af
