| Age | Commit message (Collapse) | Author |
|---|
|
Change-Id: Ibb6018da6057df73ebcfb85b257a217eccf77470
Signed-off-by: Benjamin Copeland <ben.copeland@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/47013
|
|
This change adds some helpful rootkit detection
tools to our atom role.
Change-Id: Iea3b3c92f1a1da60a3c3d934ccc107b3d20445ad
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46871
|
|
Since we're dropping host x86-TF-07, let's
go ahead and remove it from the playbook as well.
Change-Id: I1ecd7954e54306e86c6f9b5d49732a525cf76200
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46412
|
|
The blocked-refs file that listed known referrers
to block from access to the server was never
uploaded. Let's be sure to include it now and
centralize the location of where we keep this list.
Change-Id: I88a27d809e1c2b1cb321a73be3831f844d492941
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46870
|
|
We have long since retired elastalert for monitoring, but we have
left behind the *beats* infrastructure. It is possible for someone
to inadvertently re-install it by running a playbook, so let's get
rid of the unused code to set it all up.
Change-Id: Iddc290d22c4c0557f29b3d6a4900c9ecba127792
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46872
|
|
The blocked-refs file that listed known referrers
to block from access to the server was never
uploaded. Let's be sure to include it now and
centralize the location of where we keep this list.
Change-Id: I210bbb8c22101eb8c360397e38a26dd26ba68ef8
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46860
|
|
Change-Id: I11b3bd8a71bc2e39977d3920d1629c3fd695db22
Signed-off-by: Benjamin Copeland <ben.copeland@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46858
Reviewed-by: Kelley Spoon <kelley.spoon@linaro.org>
|
|
audit plugin is configured in the main gerrit.config, so let's
remove this task to create a seperate config file
Change-Id: If67d6bf4206c66e905e19a536763286946d84f0d
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46798
|
|
Fix java version typo in a-r.l.o config
Change-Id: I9e04aab1f7b9067a1eaa9219affbae9fa467aa87
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46769
|
|
Add in a oom score adjustment to protect gerrit
and prevent it from being suddenly kill when server
is busy.
Change-Id: Ifc0009a8d0108a30b44c1441cfc97266a782dce6
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46768
Reviewed-by: Benjamin Copeland <ben.copeland@linaro.org>
|
|
This adds in support for the audit-sl4j plugin.
Change-Id: I18f88fc98c8790cd4fb86489816082d6c093166c
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46770
Reviewed-by: Benjamin Copeland <ben.copeland@linaro.org>
|
|
Since these servers are being retired from Scaleway, let's
remove them from the hosts and their host_vars so we don't
try to deploy to them.
Change-Id: Idb561b71b70b2f03352c7d3a9359f48bffd95bb7
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46599
Reviewed-by: Benjamin Copeland <ben.copeland@linaro.org>
|
|
This change makes the requirement of http basic auth
credentials to read the node_exporter endpoint optional.
You can disable it by setting the user and password
to null in the host_vars for a host.
Change-Id: I058e61c46bbf8d74f3a22e0954def66c2ba10830
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46518
|
|
Add host keys for: aosp-x86-10
So that they're update in jenkins
Change-Id: Ia0467b8392fcaa98b7909064b2a2da8cab35d8c1
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46517
|
|
The ip address for aarch64-09 was not updated in the ssh config.
Let's fix that with this change.
Change-Id: Ie71424da989aa00cd33c3c2fc9e4f038597586ad
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46515
|
|
Change-Id: Ibe29caf766f240d2b293da6c14d9de59c2c30759
Signed-off-by: Benjamin Copeland <ben.copeland@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46457
|
|
Change-Id: I29434d0418dc4548d8af94eb889ee1e90eaab00d
Signed-off-by: Benjamin Copeland <ben.copeland@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46057
|
|
This change starts mirroring the llvm/llvm-lnt repo
from github for toolchain/llvm-lnt
Change-Id: Ibbe821cccac4bc41c1ba4881b2a8d7c9eeba9922
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46396
|
|
Remove offlined hosts to reduce false positives in monitoring.
Change-Id: I641a2bc59292639d6c3fe14b6e6ee8df74970f2e
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46384
|
|
This change grants shell and sudo access to
members of LDAP group team-android-engineering
Change-Id: I39c010138da3500bf28db7c77ce2559c8d0b13d6
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46373
|
|
Since the server is no longer online, let's drop this.
Change-Id: Ia57b45520292dfdc44ff245fa809241f60248323
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46349
Reviewed-by: Benjamin Copeland <ben.copeland@linaro.org>
|
|
As we're scaling back our infra, let's
remove servers that are being offlined.
Change-Id: I2224e965e5122b149fb892e06d3e466b299f8717
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46339
|
|
This change updates the bots list and also changes
the apache config for git.mlplatform.org to be a
standalone file instead of a symlink back to the
git.linaro.org conf.
Change-Id: Idc200a589c48cccf3ce851632f468ba2590a3e7e
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46159
|
|
A recent security scan noted that we were still supporting
vulnerable SSL and TLS versions in addition to using
obsolete or vulnerable ciphers.
This change disables them.
Change-Id: I4ca439beccf32d3f6ba7f788ea9e9b8723d1eecf
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46277
|
|
We've had some changes in the hosts we need to
monitor, so let's get prometheus caught up
the changes.
Change-Id: I3b4f186275b5fb094e50efeb811eb11da9fe4403
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46111
|
|
This change centralizes our list of bad user agents
and puts it into one file to be maintained across
all of our websites.
Change-Id: I0e24b6b9713ac7eeed957a5b184303371f9cc485
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46189
Reviewed-by: Benjamin Copeland <ben.copeland@linaro.org>
|
|
Let's remove some of the apache configs for sites we're
no longer deploying.
Change-Id: I640b97c3c65f347e0a6cab7f0f592a9730f10d90
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46190
Reviewed-by: Benjamin Copeland <ben.copeland@linaro.org>
|
|
Change-Id: I2cbb730da8a0a7c766b55064e43668e24d948b09
Signed-off-by: Benjamin Copeland <ben.copeland@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46131
|
|
The settings for the LIMITs in the systemd unit
file were unrecognized and causing an error
message stating they were being ignored to be
logged, thus potentially hiding any real problems
with the service.
Let's just remove them for now as they were basically
experimental.
Change-Id: I290c013858a08b87da5f6c279b47853fbdb0264a
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46029
|
|
The logic is reversed for when we want to skip enabled
the update_keys cron job in gerrit. Let's make sure
to install it if "gerrit_no_update_keys" is undefined.
Change-Id: I05ee59ea818081a2a75a711ee2029927767de3c6
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46028
|
|
The TF team has requested enabled user mentions, which
was an experimental feature introduced in gerrit 3.7.
Change-Id: I90a6c1de0732fd6b59770780f0a88017218240f1
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46023
|
|
Add the autosubmitter module to the devboards gerrit.
Change-Id: If2e745bdc00d4cb18a98da72fba7cebb32b22375
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46024
|
|
It has been requested that we allow git requests
over http to the same URL that users are using
to browse a repo via gitiles. Unfortunately
git requests to a gitiles repo results in a 403
error.
This change updates both apache and gerrit's gitiles
configuration to allow the git request to work.
Change-Id: I039bff2d0dcd92846f40ba041fd5622337e568a5
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46025
|
|
When gerrit crashes, systemd will be blocked from restarting
it by something and it will give up trying to restart the
broken service. This leaves gerrit throwing a 503 error,
which isn't detected until a human logs in and attempts to
use it.
Let's give systemd an explicit command to kill the gerrit
process as well as make it aware of the jvm's successful
exit values so that it will know to wait for a clean
exit instead of running the start command too soon and
exhausting its internal wait/retry limit.
Change-Id: I23715ab7dc2078e277cc813c9b743913179ee011
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/45929
|
|
Since neither has external DNS, let's add
ssh config entries.
Change-Id: I28d6a24427b517b6ea7b0b84f9dfc1a96bb04d8b
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/45911
|
|
Our jenkins installation has had much of the load
it used to handle relieved by projects moving to
gitlab for CI. As such, we no longer need as
large of a general build pool, so lets remove
some of them from the swarm so we can retire
the physical servers.
Change-Id: Iaf496cc202a8998ae523238fe4f636548f28b8c7
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/45953
Reviewed-by: Benjamin Copeland <ben.copeland@linaro.org>
|
|
Add required entries for aosp-x86-10.
Change-Id: Icfd95fce526fbb7ca1db4d11d1c79c3bf9fbd643
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/45962
|
|
This change adds in aosp-x86-09.
It also corrects a potential issue with nfs mounts that weren't
being included on servers under the jenkins_slaves_hetzner ansible
group by merging it with the jenkins_slaves_hetzner_oe group.
Change-Id: I3bab30b7769ed8de0cdb5d7512c9f7731f780853
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/45954
|
|
Somehow the gerrit config for gerrit.dbfoa.l.o got dropped
and ansible is unable to find a template to use. Let's
restore it based on the currently running config.
Change-Id: Ia9d152bc8d6a5d70c427f74e4f6c2397e59a0599
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/45891
|
|
Change-Id: Id9ad011c5618d75c00a8471e1f0efa0ee18e3e4a
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/45882
Reviewed-by: Benjamin Copeland <ben.copeland@linaro.org>
|
|
A rather large changeset but here we are. This change set makes gerrit
the primary address, drops git. and makes sources. a new tld.
With the new tld sources.devboardsforandroid. we proxy redirect these
requests to gitiles, and drop cgit. Upon this gitiles requires some
config to change clone urls and redirects.
Change-Id: I225030730ad8e3945b138fc80119de20f6a6b519
Signed-off-by: Benjamin Copeland <ben.copeland@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/45700
|
|
Now that we are upgrading to the same version
of gerrit, we no longer need to maintain a
separate gerrit version and checksum in
the host_var file and can just the default
in the group_var file.
Change-Id: I9b2e1e1199345e969b4c05be9cbaa7c74103acf8
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/45837
|
|
Due to a security alert, we need to redeploy the docker
images on ci.tf.o and ci.staging.tf.o. Let's take this
opportunity to move both servers back to the public image.
Change-Id: I29620569dcc62a13c8c8838ed87623338df50482
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/45451
|
|
This change adds in the initial configuration for the gerrit
server git.devboardsforandroid.ctt.linaro.org
Change-Id: Idd5098469bdeeaaeb99a8e01cd5ef551f2754603
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/45234
|
|
Update host_key for ci.tf.o
Change-Id: I775b35f2a1e9f14b1b49cd7183f09e5c94d00511
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/45271
|
|
Add -Dhudson.util.AtomicFileWriter.DISABLE_FORCED_FLUSH=true
to java options in order address a load issue that seems
to only occur when the server gets busy.
`strace -c -f -p <pid>` is showing that 75.4% of time is spent
waiting on futexes, which indicates these constant writes are
overwhelming the disk buffer and driving the load spikes. This
is likely caused by the explosion in jobs created to support a more
matrix options of the tf-a-builder job.
Change-Id: I44fa389ee4cc1a2691d3bb3f09da520edcec77eb
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/45243
|
|
After having problems getting gerrit to route email
through the gmail imap server, let's take advantage
of the SES setup for the account and use locally
running postfix.
Inbound email is currently not configured.
Change-Id: I4f1d76412bee991b0bfd0c6e81a388b2602a2f6e
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/45331
|
|
Apparently it's the end of the world if we don't have a
current cert for a domain who's sole purpose is to redirect
to the main site.
Let's make sure dehydrated also updates the cert for pub-ie.ctt.l.o
and installs it with the others.
Change-Id: I92aaad08cf4a2a74144335c4098613fa7e99bebe
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/45397
Reviewed-by: Kelley Spoon <kelley.spoon@linaro.org>
|
|
Gerrit is no longer using postgresql for
reviewdb, so let's remove configuration for it
in preparation of the config directive being
retired.
Change-Id: I3c52b9f5d1c90629b27f70ec3788e0f17a47d882
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/45332
|
|
Previously the fvp images for LAVA were synced to
the jenkins main node to run FVP jobs, and this was
handled by a cron job on the server.
Since we moved the workers to x86-TF-03 and 04, we
need to implement the sync script to login into the
private ECR and 'docker pull' the latest images.
Change-Id: I0fe5304e62608188223eb966f5272e7f67fe78a9
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/43571
|
