DuckCorp Projects: Issueshttps://projects.duckcorp.org/https://projects.duckcorp.org/favicon.ico?16699090422020-08-28T10:34:19ZDuckCorp Projects
Redmine DuckCorp Infrastructure - Review #712 (Resolved): Fix 'ipaddr' Jinja filter usage and avoid a forkhttps://projects.duckcorp.org/issues/7122020-08-28T10:34:19ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p><a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/duckcorp-infra.git;a=log;h=refs/heads/fix_ipaddr_usage" class="external"><code>fix_ipaddr_usage</code></a> branch from <code>duckcorp-infra</code> repository.</p>
<p>Use <code>address</code> parameter with hosts and <code>network</code> parameter with ranges.</p>
<p><code>ipaddr</code> Jinja filter behavior is quiet unexpected but a fork of this filter isn't required.</p>
<p>Tested with the following play and command:</p>
<pre><code>- hosts: all<br /> tasks:<br /> - debug:<br /> msg: "{{ item ~ ' : ' ~ (item|ipaddr('address') or item|ipaddr('network')) ~ '/' ~ item|ipaddr('netmask') }}" <br /> loop: '{{ firewalling.whitelist }}'</code></pre>
<pre><code>$ ansible-playbook -c local -l Elwing test.yaml</code></pre>
<p>The playbook output is the same with these ipaddr versions:</p>
<p>- the one committed<br />- <a href="https://github.com/ansible/ansible/blob/stable-2.9/lib/ansible/plugins/filter/ipaddr.py" class="external">ansible/ansible: branch stable-2.9</a><br />- <a href="https://github.com/ansible-collections/ansible.netcommon/blob/1.1.2/plugins/filter/ipaddr.py" title="<redpre#5></code> tag" class="external">ansible-collections/ansible.netcommon</a></p>
<p>Relates: <a class="issue tracker-1 status-3 priority-6 priority-high2 closed" title="Bug: restrict LDAP service accounts (Resolved)" href="https://projects.duckcorp.org/issues/646">#646</a></p> DuckCorp Infrastructure - Review #711 (Resolved): Allow to connect to services hosted on Orthos w...https://projects.duckcorp.org/issues/7112020-08-25T15:42:24ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p><a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/duckcorp-infra.git;a=log;h=refs/heads/allow_input_connections_from_hypervisor" class="external"><code>allow_input_connections_from_hypervisor</code></a> branch from <code>duckcorp-infra</code> repository.</p>
<p>Allow input connections from the hypervisor</p>
<p>While being at Conde, without this patch, I am not able to reach <code>sup.duckcorp.org</code>. Indeed the following packet is dropped:</p>
<p>On the hypervisor:</p>
<pre><code>IP 192.168.100.1.33874 > 192.168.100.2.443: Flags [S]</code></pre>
<p>where:</p>
<pre>
192.168.100.1: IP of the hypervisor on the bridge used with libvirt
192.168.100.2: Orthos
</pre>
<p>This patch has been applied already.</p> DuckCorp Infrastructure - Review #707 (Resolved): ansible-role-zabbix: ignore debian bugs #909750https://projects.duckcorp.org/issues/7072020-07-09T00:45:21ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/ansible-role-zabbix" class="external"><code>ansible-role-zabbix/ignore_debian_bugs_#909750</code></a></p>
<p>Ignore debian bugs #909750, workaround this issue:</p>
<pre>
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
fontconfig-config fonts-dejavu-core libfontconfig1 libgd3 libjbig0
libjpeg62-turbo libtiff5 libwebp6 libxpm4 php php-bcmath php-gd
php-ldap php-mbstring php-pgsql php-xml php7.3 php7.3-bcmath php7.3-gd
php7.3-ldap php7.3-mbstring php7.3-pgsql php7.3-xml
Suggested packages:
libgd-tools
The following NEW packages will be installed:
fontconfig-config fonts-dejavu-core libfontconfig1 libgd3 libjbig0
libjpeg62-turbo libtiff5 libwebp6 libxpm4 php php-bcmath php-gd
php-ldap php-mbstring php-pgsql php-xml php7.3 php7.3-bcmath php7.3-gd
php7.3-ldap php7.3-mbstring php7.3-pgsql php7.3-xml zabbix-frontend-php
0 upgraded, 24 newly installed, 0 to remove and 40 not upgraded.
[...]
serious bugs of libfontconfig1 (-> 2.13.1-2) <Forwarded>
b1 - #909750 - applications tries to write to /usr/* directories via
libfontconfig1
Summary:
libfontconfig1(1 bug)
libfontconfig1 pinned by adding Pin preferences in
/etc/apt/preferences.d/apt-listbugs. Restart APT session to enable
**********************************************************************
****** Exiting with an error in order to stop the installation. ******
**********************************************************************
</pre> DuckCorp Infrastructure - Review #706 (Resolved): ansible-role-httpd_php_fpm: dont_check_potentia...https://projects.duckcorp.org/issues/7062020-07-08T19:59:48ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/ansible-role-httpd_php_fpm" class="external"><code>ansible-role-httpd_php_fpm/dont_check_potentially_non_existent_path</code></a></p>
<p>Don't check existence of potentially nonexistent paths.</p>
<p>Some paths might be created later, for example: <code>/etc/zabbix/zabbix.conf.php</code>. This file can not be rendered before since owner is created in the following task.<br />Nonexistent path mentioned in <code>open_basedir</code> php configuration seems to be without any consequence.</p> DuckCorp Infrastructure - Review #704 (Resolved): duckcorp-infra: move supervision serverhttps://projects.duckcorp.org/issues/7042020-07-08T03:04:18ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/duckcorp-infra.git" class="external"><code>duckcorp-infra/move_sup_server</code></a></p>
<p>Supervision server: use Orthos instead of Nicecity</p>
<p>Tested with check mode enabled only using the following command:<br /><pre>
ansible-playbook --check -vv --diff playbooks/dc.yml -l Orthos -e_pg_version=11 -ehttpd_version=2.4.38 -ephp_minor_version=7.3
</pre></p> DuckCorp Infrastructure - Review #703 (Resolved): dc-web: improve check mode supporthttps://projects.duckcorp.org/issues/7032020-07-08T02:52:52ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/duckcorp-infra.git" class="external"><code>duckcorp-infra/dc-web_check_mode</code></a></p>
Improve check mode support:
<ul>
<li>don't fail when <code>rsync</code> binary isn't installed</li>
<li>allow apache2_module to fail when check mode is enabled and apache2ctl isn't installed yet</li>
</ul> DuckCorp Infrastructure - Review #702 (Resolved): ansible-role-httpd_php_fpm: improve check mode ...https://projects.duckcorp.org/issues/7022020-07-07T09:36:07ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/ansible-role-httpd_php_fpm" class="external"><code>ansible-role-httpd_php_fpm/improve_check_mode_handling</code></a></p>
Improve check mode support:
<ul>
<li>check mode: handle <code>apache2_module</code> failure</li>
<li>don't check paths existence when check mode is enabled</li>
<li>Check mode: don't fail when <code>php</code> binary isn't installed</li>
</ul>
One unrelated change included:
<ul>
<li>Ensure <code>php_minor_version</code> var isn't empty</li>
</ul> DuckCorp Infrastructure - Review #701 (Resolved): ansible-role-zabbix: improve check mode supporthttps://projects.duckcorp.org/issues/7012020-07-01T16:44:58ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/ansible-role-zabbix" class="external"><code>ansible-role-zabbix/check_mode_support</code></a>.</p>
Improve check mode support:
<ul>
<li>when <code>psycopg/PostgreSQL</code> isn't installed yet</li>
<li>always execute <code>timedatectl</code> command</li>
</ul> DuckCorp Infrastructure - Review #700 (Resolved): ansible-role-zabbix: Use 'timedatectl show'https://projects.duckcorp.org/issues/7002020-07-01T16:39:30ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/ansible-role-zabbix" class="external"><code>ansible-role-zabbix/timedatectl_show_is_available</code></a>.</p>
<p><code>timedatectl show</code> <a href="https://manpages.debian.org/buster/systemd/timedatectl.1.en.html" class="external">is now documented</a> and works well with Buster: use it.</p> DuckCorp Infrastructure - Review #687 (Resolved): encrypt ansible vault password (locally)https://projects.duckcorp.org/issues/6872020-03-10T15:53:45ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<ol>
<li><code>duckcorp/admin:encrypt_vault_password</code> branch: encrypt Ansible Vault password</li>
<li><code>duckcorp/duckcorp-infra:decrypt_vault_password</code> branch: decrypt Ansible Vault password when needed</li>
</ol> DuckCorp Infrastructure - Review #591 (In Progress): Commit eb15755f0416e4a07c8e585ec42db79051edb78fhttps://projects.duckcorp.org/issues/5912017-08-29T12:57:21ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<ul>
<li>ansible/host_vars/Thorfinn/backup.yml: should not <code>/usr/share/rbot/plugins</code> be added to <code>backup_important_custom</code> (I noted 'manual changes tracking in rbot plugins') ?</li>
<li>ansible/host_vars/Elwing/backup.yml: should not <code>/data/Vingilot_backup</code>, <code>/data/elwing_sys</code>, <code>/data/share/Data-Important</code> be added ?</li>
<li>s/backup_exclude/backup_excludes/ (same for backup_exclude_regex)</li>
<li>burp role should handle <code>exclude_regex</code> too</li>
</ul> DuckCorp Infrastructure - Review #585 (In Progress): backup_duckhttps://projects.duckcorp.org/issues/5852017-08-29T11:59:20ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eumkcert - Review #542 (In Progress): mkcert: allow to specify CONFDIRhttps://projects.duckcorp.org/issues/5422017-05-14T21:57:33ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Please, could you review branches listed below ?</p>
<ul>
<li><code>Allow-to-define-CONFDIR</code></li>
<li><code>Key-size-synchronize-default-values-sample-values</code></li>
<li><code>Typo</code></li>
<li><code>improve-reliability-enable-some-checks</code></li>
<li><code>Handle-when-mkcert-isn-t-in-PATH</code></li>
<li><code>directory-might-not-exists</code></li>
</ul>
<p>These branches are available here <code>https://vcs-git.duckcorp.org/people/pilou/mkcert.git</code>.</p> DuckCorp Infrastructure - Review #519 (In Progress): Review burp rolehttps://projects.duckcorp.org/issues/5192017-04-03T12:00:00ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>The Burp role is available here: <a class="external" href="https://gitlab.com/pilou-/ansible-role-burp">https://gitlab.com/pilou-/ansible-role-burp</a>.</p> DuckCorp Infrastructure - Review #518 (In Progress): Review branch backuphttps://projects.duckcorp.org/issues/5182017-04-03T11:58:27ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>This is a start: the committed configuration backups only PostgreSQL databases hosted on Toushirou.</p>
<p>Other hosts/directories will be added latter.</p>