| @blaisepabon:matrix.org | Ok, I suspect that the problem is due to some path traversal foible.... | 03:41 |
|---|---|---|
| I had manually copied the zuul proxy config file and everything else was created by the roles, so I will find the templates in the roles directory and put the zuul reverse proxy settings there. | ||
| @iwienand:matrix.org | ok, so dib's fedora/rocky testing has started failing with the update to 3.10/jammy images | 06:08 |
| @iwienand:matrix.org | these are the "containerfile" elements that run podman inside the container | 06:09 |
| @iwienand:matrix.org | i've filed https://github.com/containers/podman/issues/14884 but upon more research, i'm starting to think it's a cgroups v2 thing | 06:09 |
| @iwienand:matrix.org | i have some suspicion this is related to "--cgroupns=private" v "host" | 06:11 |
| @iwienand:matrix.org | however, nodepool-builder is already running as "privileged: true" | 06:12 |
| @iwienand:matrix.org | docker-compose has bugs open that it doesn't support the --cgroupsns flag. so simply switching it in the compose file isn't as easy as you would hope | 06:13 |
| -@gerrit:opendev.org- Ian Wienand proposed: [zuul/nodepool] 849273: [wip] test /sys/fs/cgroup mapped as rw https://review.opendev.org/c/zuul/nodepool/+/849273 | 06:16 | |
| @iwienand:matrix.org | https://review.opendev.org/c/openstack/diskimage-builder/+/849274 will test ^ | 06:18 |
| -@gerrit:opendev.org- Zuul merged on behalf of David Ostrovsky: [zuul/zuul-jobs] 846909: ensure-java role: Bump default java_version to 11 https://review.opendev.org/c/zuul/zuul-jobs/+/846909 | 12:38 | |
| @blaisep-sureify:matrix.org | Ok, I see what happened. | 19:37 |
| The Example in the Zuul Doc : | ||
| https://zuul-ci.org/docs/zuul/latest/installation.html#static-offload | ||
| includes a directory | ||
| and httpd needs access to that directory. | ||
| @jim:acmegating.com | Blaise Pabon: fwiw, i think the "static offload" form is super complicated (it's most useful if you have a zuul site that is so busy that having zuul-web serve the static javascript files is a kind of DoS against it. to my knowledge, there is not (yet) a zuul site so large that is required. i would suggest implementing only this part: https://zuul-ci.org/docs/zuul/latest/installation.html#reverse-proxy and stop there (before static offload). basically just those 3 lines. | 19:44 |
| @jim:acmegating.com | that's what opendev does (though its config also has some extra bits to enable caching) | 19:44 |
| @blaisep-sureify:matrix.org | Ok, so then my TLS would get handled before traffic gets forwarded to `:9000` ? | 19:50 |
| @jim:acmegating.com | Blaise Pabon: yep; stick those 3 lines in a virtualhost with ssl configured, and you've got apache handling tls then forwarding plaintext to :9000. that's exactly what opendev does | 19:53 |
| @blaisep-sureify:matrix.org | I guess, I'm getting closer.... I got | 19:55 |
| ``` | ||
| http://u.do.controlplane.info/WCC2/Home/Login?ReturnUrl=%2fWCC2%2f | ||
| ``` | ||
| @blaisep-sureify:matrix.org | Is this WCCC2 one of the sample sites ? | 20:13 |
| @blaisep-sureify:matrix.org | oops, standby | 20:17 |
| @blaisep-sureify:matrix.org | I... keep getting redirected to the Devicenet Web Portal SSL warning.,,, | 20:25 |
| Are these friends of ours? | ||
| @blaisep-sureify:matrix.org | Never mind.... 😊 | 20:34 |
| @blaisep-sureify:matrix.org | I don't think that the opendev http config files are accesible in the repository | 23:41 |
| https://opendev.org/opendev/system-config/src/branch/master/testinfra | ||
| @blaisep-sureify:matrix.org | In fact, it looks like the tests skip TLS altogether. | 23:45 |
| https://opendev.org/opendev/system-config/src/branch/master/testinfra/test_nodepool.py#L56 | ||
| I'm guessing that's because it's such a PITA | ||
| @blaisep-sureify:matrix.org | * I don't think that the opendev http virsthost config files are accesible in the repository | 23:47 |
| https://opendev.org/opendev/system-config/src/branch/master/testinfra | ||
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 849442: Strictly sequence reconfiguration events https://review.opendev.org/c/zuul/zuul/+/849442 | 23:49 | |
| @jim:acmegating.com | Blaise Pabon: they do actually test tls (though it is a PITA); the --insecure flag there just accomodates the fact that it's running with untrusted certs. | 23:50 |
| @jim:acmegating.com | Blaise Pabon: here's the template for opendev's zuul apache reverse proxy config (with those 3 lines from the docs highlighted): https://opendev.org/opendev/system-config/src/branch/master/playbooks/roles/zuul-web/templates/zuul.vhost.j2#L43-L46 | 23:52 |
| @jim:acmegating.com | fungi: https://review.opendev.org/849442 addresses a problem i believe has been observed in opendev | 23:54 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!