Freeze Break Request. Make it so marketing spam does not work.
by Stephen John Smoogen
commit fb17ed59701ceb8f76d5b400e96c3503091eb9e6
Author: Patrick Uiterwijk <puiterwijk(a)redhat.com>
Date: Tue Apr 14 21:01:19 2015 +0000
Actually deny mailman GET subscriptions
The mailman form does POST, and this is a lot of spam bots.
The mod_rewrite does not work because it is not processed since
the ScriptAlias directive takes precedense.
Signed-off-by: Patrick Uiterwijk <puiterwijk(a)redhat.com>
diff --git a/modules/mailman/templates/mailman_httpd_config.erb
b/modules/mailman/templates/mailman_httpd_config.erb
index 43e5eb3..59a5dc7 100644
--- a/modules/mailman/templates/mailman_httpd_config.erb
+++ b/modules/mailman/templates/mailman_httpd_config.erb
@@ -2,6 +2,13 @@
# httpd configuration settings for use with mailman.
#
+<Location /mailman/subscribe>
+ <Limit GET>
+ Order deny,allow
+ Deny from all
+ </Limit>
+</Location>
+
Alias /mailman/icons /var/www/icons
ScriptAlias /mailman/ /usr/lib/mailman/cgi-bin/
<Directory /usr/lib/mailman/cgi-bin/>
@@ -19,13 +26,5 @@ Alias /pipermail/ /var/lib/mailman/archives/public/
Allow from all
</Directory>
-# redirect queries to /mailman to the listinfo page
-
-
-<IfModule mod_rewrite.c>
- RewriteEngine on
- RewriteCond %{REQUEST_METHOD} GET
- RewriteRule ^/mailman/subscribe/(.*) / [R]
-</IfModule>
RedirectMatch ^/mailman[/]*$ https://<%= mailman_default_url_host
%>/mailman/listinfo
--
Stephen J Smoogen.
7 years, 11 months
Freeze break request: Fix mirrorlist2 static files
by Patrick Uiterwijk
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
Currently, static files for Mirrorlist2 give 403 Access Denied's.
Could I get +1s to apply this fix:
commit ee955fa452df4c753c276b37a34af04933288e20
Author: Patrick Uiterwijk <puiterwijk(a)redhat.com>
Date: Tue Apr 14 09:58:38 2015 +0000
Add a Location tag for static
For every alias, you need to have either a Directory or a Location
that matches it.
Source: https://wiki.apache.org/httpd/ClientDeniedByServerConfiguration
Upstream PR: https://github.com/fedora-infra/mirrormanager2/pull/41
Signed-off-by: Patrick Uiterwijk <puiterwijk(a)redhat.com>
diff --git a/roles/mirrormanager/mirrorlist2/templates/mirrorlist-server.conf b/roles/mirrormanager/mirrorlist2/templa
index 91800c5..adb5182 100644
- --- a/roles/mirrormanager/mirrorlist2/templates/mirrorlist-server.conf
+++ b/roles/mirrormanager/mirrorlist2/templates/mirrorlist-server.conf
@@ -52,3 +52,15 @@ WSGIScriptAlias /mirrorlist /usr/share/mirrormanager2/mirrorlist_client.wsgi
Allow from all
</IfModule>
</Location>
+
+<Location /static>
+ <IfModule mod_authz_core.c>
+ # Apache 2.4
+ Require all granted
+ </IfModule>
+ <IfModule !mod_authz_core.c>
+ # Apache 2.2
+ Order deny,allow
+ Allow from all
+ </IfModule>
+</Location>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVLOWQAAoJEIZXmA2atR5Q1BUQAIn2p750BOsqOdo0PDB/s266
qnmwLnAeGUFbpZLL0RTTcKO+6hxQD/nAvWuvFfx9/YyhWkrHHeor18pdZnzXKCWZ
vdVhfo3jNP4zLkavFeV0m5rHArEmjD95Clc7cv7CYhdWQgT/B6DKvTJUFKb1HgfP
FkYK6KYpo7aVY7odbrIMUlxFkTzX5x7ydwlHkwiQqTREwShpNCyczKdr2f1Q0yIi
+T7Aeh0341aym/VcT7DlkIq3fYS381ulmpA4NOHyEJ9v2DVdhEqbCRW94iqAdMZw
uYXSfJI6oLeRYUbXbnBA8VqPnpP2AI07kBh+eS+ji/+CfOzP0G+kCA5sQqwTZKkm
2RJH3TlpS5iPnq9J5tFl1wUBRlLBIjJK4xrILYYrXY9jonNyzfHXlq+6preE1duf
qNb5YBtbIcSZJnTZOupoHeSqz2tklMEi0oCVn5g14SUN0Zvf0csv0vSNwH74UgCv
sulJyb/prdYlGC+pqSI/QD7Z7z+1vyl+31D6qxfbT8QlBh2I/oErPB1ganoLA2KQ
AfoOT3QhrorhJh0aLm0mit0GQrYGCnHHlQmgNN5WBY6+ft/aG19gGrF710pZN8eF
UDquJHxuw0REEi7/EaHr9Hhegw0ON+xWjkLwqqvCM6ndjFfMla8gazi2re071wgD
gs6Ey7ejfdGhDzLX+qJv
=Iz0I
-----END PGP SIGNATURE-----
7 years, 11 months
Freeze break request: update python-bugzilla on bodhi*
by Patrick Uiterwijk
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
Red Hat Bugzilla got upgraded to a version that no longer
has the Bug.get_bugs API call.
There is a new python-bugzilla available that uses the new
Bug.get call instead.
Staging bodhi* has been upgraded last friday to use the new
python-bugzilla.
I would like +1s to upgrade python-bugzilla in production,
since Red Hat Bugzilla has been upgraded and as such attaching
bugs to updates is currently broken.
With kind regards,
Patrick Uiterwijk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVK8hJAAoJEIZXmA2atR5QYcAQAKNHg8QNRDNniqdkaFzEMPPI
RAX5jcbTe8o2kaz2ztFTlthNLW2qfVIamylOlCQRansbdyT6RVBntYEDHraMEVvf
Izv1Hx1wkzPh9EUaeKX7ZmZtmruBV+yKEBH5kRqQZRB5D2o6HE0KTZo26W98z1aI
jfv89jn778K3GS2BW3w2gEHUuQQtym0GQJCvluwP93IchltW8Ud5R8f+5JIa2EPY
N5p/zlBEB4sKvKil7NnXlFHpB1w01Ygc+Xb0MGWHgSG5ONKALNem1a1nJ++nVXDv
v8bQWm8pSw5lQI9cM31yMowOolg1WYqY+zE31qdPqx4F1V9JzoK3mvYZ9qfOl4Dp
pz4RFnfCqbLzFqScj+jeAJ41k1WetrhqfzGr6wWXpS+bTZJH7bTKGqP68sG6YZPJ
kB9PL3lpcg2CCAuVUiaJqfLmhBj0X4Mns4gPiZaZ8w3uRjQji2U8b3EHTyoAlUeC
3vnvAcrc/ZVbiK5hbkVsVXEx1rFJHeq5YEH0CHMHanBTVx7CPzAX5EaHeioOXggE
nOf/CS3+qsyskRSJuAsQB3T0tiPbcGdBxLuzwjBTu+dgck37f6i3jXcvjTai8oHl
KeZ2ICZ3ywHjvJOwvP40oxJE1P3MF3+lk8/YpXcgZu6CYrwpXne0J9JdV1otuNCv
K2ZgBYS7ZCXaO2gYqJLN
=/QsT
-----END PGP SIGNATURE-----
7 years, 11 months
[release] elections: 2.5.1
by Pierre-Yves Chibon
Hi all,
So following on the freeze break I just cut and push a new elections release:
2.5.1
Here is its changelog:
* Mon Apr 13 2015 Pierre-Yves Chibon <pingou(a)pingoured.fr> - 2.5.1-1
- Update to 2.5.1
- Close the DB connection at the end of the request
Let's see if that helps at the DB level.
Pierre
7 years, 11 months
[Freeze Break] elections 2.5.1
by Pierre-Yves Chibon
Hi all,
Elections runs into some DB troubles once in a while with a lot of queries
running.
I am not yet sure what is the root cause but one step that might already
mitigate this problem is closing the DB session after the request.
I opened a pull-request for this:
https://github.com/fedora-infra/elections/pull/41
and since it is the first change since the last release, I would like to ask for
a freeze break to cut and push a new release.
Thanks,
Pierre
7 years, 11 months
[release] MirrorManager2: 0.0.7
by Pierre-Yves Chibon
Hi all,
I just cut a new mirrormanager2 release: 0.0.7 and push it to staging. This
might help with the occasional apache failure I have seen.
There were no changes to mirrorlist, but the new rpm is in the main infra repo,
so beware if you run yum update on these hosts before freeze.
Here is the changelog:
* Mon Apr 13 2015 Pierre-Yves Chibon <pingou(a)pingoured.fr> - 0.0.7-1
- Update to 0.0.7
- Add missing import on mm2_update-EC2-netblocks
- Have the cron jobs running under a ``mirrormanager`` user (Adrian Reber)
- Update the last_crawled and last_crawled_duration correctly (Adrian Reber)
- Fix systemd's tempfile.conf for mirrormanager2
- Fix link to the crawler log file (Adrian Reber)
- Close per thread logging correctly (Adrian Reber)
- Add more informations to the log output (Adrian Reber)
- Start crawling the hosts which require the most time (Adrian Reber)
- Filters the hosts to crawl at the DB level to save time and memory (Adrian
Reber)
- Fix the xmlrpc endpoint (Adrian Reber)
- Adjust Build Requires to include systemd-devel instead of just systemd
- Close session at the end and make the session permanent
- Add new columns to the host table to store extra infos (Adrian Reber)
- Use urllib2 instead of urlgrabber in the crawler (Adrian Reber)
- Fix crawler timeout (Adrian Reber)
- run_rsync() returns a temporary file which needs to be closed (Adrian Reber)
Pierre
7 years, 11 months
April status update for Fedora Infrastructure Apprentices
by Kevin Fenzi
Greetings.
You are getting this email because you are in the 'fi-apprentice' group
in the fedora account system (or are reading this on the
infrastructure list).
Feel free to reply just directly to me, or cc the infrastructure list
for everyone to see and comment on.
https://fedoraproject.org/wiki/Infrastructure_Apprentice
At the first of every month(or so), I am going to be sending out an
email like this one. I would like feedback on how things are going for
you.
I'd like to ask for everyone to send me a quick reply with the
following data or anything related you can think of that might help us
make the apprentice program more useful.
0. Whats your fedora account system login?
1. Have you logged in and used your fi-apprentice membership to look at
our machines/setup in the last month? Do you plan to?
2. Has it helped you decide any area you wish to focus on or contribute
to more?
3. Have you looked at or been able to work on any of the fi-apprentice
'easyfix' tickets?
https://fedorahosted.org/fedora-infrastructure/report/14
4. Do you still wish to be a member of the group? If not (for whatever
reason) could you provide any hints to help others down the road?
5. Is there any help or communication or ideas you have that would help
you do any of the above?
6. What do you find to be the hardest part of getting involved?
Finding things to work on? Getting attention from others to help you?
Finding tickets in your interest area?
7. Have you been able to make any weekly irc meetings? Do you find them
helpful or interesting?
8. Have you logged into our Gobby instance and read/seen/added to our
meeting agenda? https://fedoraproject.org/wiki/Gobby
Any other general feedback is also quite welcome, including
improvements to this email, the wiki page, etc.
Any folks I do not hear from in the next week will be removed from the
group. (Note that it's easy to be readded when you have time or
whatever and it's nothing at all personal, we just want to keep the
group up to date with active folks).
Thanks, and looking forward to your feedback!
kevin
7 years, 11 months
Freeze break: db-koji01 and bvirthost09 reboot
by Kevin Fenzi
I was going to wait until after freeze for this, but with us slipping a
week I think it might be worth doing now.
For the last few weeks we have been having issues with db-koji01.
The problem started when I moved it's backend storage from one iscsi/pv
to another iscsi/pv. The load has been high since then and it's not as
performant as it was.
Effects:
* koji alerts in nagios make us need to restart httpd on koji01 (which
we can do without outage, but means a human has to wake up and go do
it).
* If koji01 httpd isn't restarted, kojira sometimes will timeout and
not launch newrepos. (We worked around this by increasing the
timeout, but it's only a matter of time before it hits this again).
* Pages on koji that need lots of db access are slower than they
were/need to be.
Cause:
Not entirely sure what the base cause is. lvdisplay shows the guest is
on the right iscsi volume, there's no iscsi errors or the like. The
host did have stale lvm data due to lvmetad running, but that shouldn't
have affected the running guest(s). I can only think there's something
still trying to hit the old no longer used iscsi volume and causing
extra load.
What I would like to do:
* Stop postgres on db-koji01. This will cause the hub to show db down
to anyone looking.
* rsync /var/lib/pgsql off to backup03. This should take less than
10min.
* shutdown db-koji01 and dhcp01.
* Reboot bvirthost09
* See if the issue clears up. If something happens and db-koji01
doesn't come back up right, we can make a new one and
sync /var/lib/pgsql back to it and be back up pretty quickly.
Hopefully it won't come to that.
I'd like to schedule this possibly over the weekend off hours when koji
isn't all that busy.
Thoughts? +1s?
kevin
7 years, 11 months
Freeze break request: Fix kojipkgs acls
by Patrick Uiterwijk
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Any +1s?
commit 8ba325e63c246d11282ce43acb36dcb76008714b
Author: Patrick Uiterwijk <puiterwijk(a)redhat.com>
Date: Fri Apr 10 12:12:39 2015 +0000
Update squid ACLs
Signed-off-by: Patrick Uiterwijk <puiterwijk(a)redhat.com>
diff --git a/roles/kojipkgs/files/squid.conf b/roles/kojipkgs/files/squid.conf
index a0d5312..8ea54b2 100644
- --- a/roles/kojipkgs/files/squid.conf
+++ b/roles/kojipkgs/files/squid.conf
@@ -40,7 +40,7 @@ acl Safe_ports port 443 # https
acl CONNECT method CONNECT
acl our_sites dstdomain kojipkgs.fedoraproject.org
acl phx2 src 10.5.125.0/24 10.5.127.0/24
- -acl repo_url url_regex ^http://kojipkgs.fedoraproject.org/repo/
+acl repo_url urlpath_regex -i ^/repo/
acl kojipkgs urlpath_regex -i \.(rpm|log|sig)$
acl mash urlpath_regex -i ^/mash/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVJ+R0AAoJEIZXmA2atR5QzdcP/3Zcowisa8xD47OEV+P6BKpg
uEdq36VKQ0VX5j+9QiuvWi3kBdlhZKJIBBzCUXMIK5bUmQVxO2rMCYm9DVZItXXJ
4HJJsbHrx0oP1C9lM+YDrjDohhN1+Eq44oeZPDJQNFhZ9oAltzH5gzrkqgaiW9P1
3KaoSuFtTtUQNJb8jTHV5eG9H+8AAU4/LsfyOuuT6N3eztdyctYn+6pjzYq5xZDH
Wb2a+mH/NrVdNou2EfhV1AxeB1Idrn5VAHoqTs0xNbBEtKa3I5BCrO9l0fL+f3lV
GiaHXADvswt1jaD7/AgcMogY0i/xpb6xLnN60OTp6TEGoEwRR4JBLZAY1aYNvyrI
P5jVxILYb/oK/WYoB0aV75gFypXMZgwWnzXdpNLshUzBi/SBi6P31nf5k4vjAHIZ
mDhI4mfnuU9dLSWFnnljOwGK1FMH7PSP+xrAn37vrfmJMQhxPeNI5wU0nwJol7zg
DYSS1XMTvTq7k2mdXf0UTx4QQUzaJOBVjAy6A9lZSK50MRYu2jRToKmF371fEM+f
/iH3aeb9x3Ur+m6SQwXyEnjPXIUzglbpR+m9sHBRz5oQrpi99wyTojlQj0yvyjtF
Q5wAMebPDUBO/ioUJObEG00IgIY7nWGtEpsxMigruubG/o34fmaMZPoqTSy44qzl
DAYqEoCjoQBbOHHr/Alc
=lyiV
-----END PGP SIGNATURE-----
7 years, 11 months