DuckCorp Projects: Issues
https://projects.duckcorp.org/
https://projects.duckcorp.org/favicon.ico?1669909042
2020-08-28T10:34:19Z
DuckCorp Projects
Redmine
DuckCorp Infrastructure - Review #712 (Resolved): Fix 'ipaddr' Jinja filter usage and avoid a fork
https://projects.duckcorp.org/issues/712
2020-08-28T10:34:19Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<p><a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/duckcorp-infra.git;a=log;h=refs/heads/fix_ipaddr_usage" class="external"><code>fix_ipaddr_usage</code></a> branch from <code>duckcorp-infra</code> repository.</p>
<p>Use <code>address</code> parameter with hosts and <code>network</code> parameter with ranges.</p>
<p><code>ipaddr</code> Jinja filter behavior is quiet unexpected but a fork of this filter isn't required.</p>
<p>Tested with the following play and command:</p>
<pre><code>- hosts: all<br /> tasks:<br /> - debug:<br /> msg: "{{ item ~ ' : ' ~ (item|ipaddr('address') or item|ipaddr('network')) ~ '/' ~ item|ipaddr('netmask') }}" <br /> loop: '{{ firewalling.whitelist }}'</code></pre>
<pre><code>$ ansible-playbook -c local -l Elwing test.yaml</code></pre>
<p>The playbook output is the same with these ipaddr versions:</p>
<p>- the one committed<br />- <a href="https://github.com/ansible/ansible/blob/stable-2.9/lib/ansible/plugins/filter/ipaddr.py" class="external">ansible/ansible: branch stable-2.9</a><br />- <a href="https://github.com/ansible-collections/ansible.netcommon/blob/1.1.2/plugins/filter/ipaddr.py" title="<redpre#5></code> tag" class="external">ansible-collections/ansible.netcommon</a></p>
<p>Relates: <a class="issue tracker-1 status-3 priority-6 priority-high2 closed" title="Bug: restrict LDAP service accounts (Resolved)" href="https://projects.duckcorp.org/issues/646">#646</a></p>
DuckCorp Infrastructure - Review #711 (Resolved): Allow to connect to services hosted on Orthos w...
https://projects.duckcorp.org/issues/711
2020-08-25T15:42:24Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<p><a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/duckcorp-infra.git;a=log;h=refs/heads/allow_input_connections_from_hypervisor" class="external"><code>allow_input_connections_from_hypervisor</code></a> branch from <code>duckcorp-infra</code> repository.</p>
<p>Allow input connections from the hypervisor</p>
<p>While being at Conde, without this patch, I am not able to reach <code>sup.duckcorp.org</code>. Indeed the following packet is dropped:</p>
<p>On the hypervisor:</p>
<pre><code>IP 192.168.100.1.33874 > 192.168.100.2.443: Flags [S]</code></pre>
<p>where:</p>
<pre>
192.168.100.1: IP of the hypervisor on the bridge used with libvirt
192.168.100.2: Orthos
</pre>
<p>This patch has been applied already.</p>
DuckCorp Infrastructure - Review #707 (Resolved): ansible-role-zabbix: ignore debian bugs #909750
https://projects.duckcorp.org/issues/707
2020-07-09T00:45:21Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/ansible-role-zabbix" class="external"><code>ansible-role-zabbix/ignore_debian_bugs_#909750</code></a></p>
<p>Ignore debian bugs #909750, workaround this issue:</p>
<pre>
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
fontconfig-config fonts-dejavu-core libfontconfig1 libgd3 libjbig0
libjpeg62-turbo libtiff5 libwebp6 libxpm4 php php-bcmath php-gd
php-ldap php-mbstring php-pgsql php-xml php7.3 php7.3-bcmath php7.3-gd
php7.3-ldap php7.3-mbstring php7.3-pgsql php7.3-xml
Suggested packages:
libgd-tools
The following NEW packages will be installed:
fontconfig-config fonts-dejavu-core libfontconfig1 libgd3 libjbig0
libjpeg62-turbo libtiff5 libwebp6 libxpm4 php php-bcmath php-gd
php-ldap php-mbstring php-pgsql php-xml php7.3 php7.3-bcmath php7.3-gd
php7.3-ldap php7.3-mbstring php7.3-pgsql php7.3-xml zabbix-frontend-php
0 upgraded, 24 newly installed, 0 to remove and 40 not upgraded.
[...]
serious bugs of libfontconfig1 (-> 2.13.1-2) <Forwarded>
b1 - #909750 - applications tries to write to /usr/* directories via
libfontconfig1
Summary:
libfontconfig1(1 bug)
libfontconfig1 pinned by adding Pin preferences in
/etc/apt/preferences.d/apt-listbugs. Restart APT session to enable
**********************************************************************
****** Exiting with an error in order to stop the installation. ******
**********************************************************************
</pre>
DuckCorp Infrastructure - Review #706 (Resolved): ansible-role-httpd_php_fpm: dont_check_potentia...
https://projects.duckcorp.org/issues/706
2020-07-08T19:59:48Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/ansible-role-httpd_php_fpm" class="external"><code>ansible-role-httpd_php_fpm/dont_check_potentially_non_existent_path</code></a></p>
<p>Don't check existence of potentially nonexistent paths.</p>
<p>Some paths might be created later, for example: <code>/etc/zabbix/zabbix.conf.php</code>. This file can not be rendered before since owner is created in the following task.<br />Nonexistent path mentioned in <code>open_basedir</code> php configuration seems to be without any consequence.</p>
DuckCorp Infrastructure - Review #705 (Rejected): ansible-role-httpd_php_fpm: create Unix group u...
https://projects.duckcorp.org/issues/705
2020-07-08T19:49:29Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/ansible-role-httpd_php_fpm" class="external"><code>ansible-role-httpd_php_fpm/create_unix_group_for_pool_workers</code></a></p>
<p>Create Unix group used for pool workers.</p>
<p>Fix this error:</p>
<pre>
TASK [zabbix : Generate Zabbix UI configuration]
task path: duckcorp-infra/ansible/roles/zabbix/tasks/webui.yml:30
fatal: [Orthos]: FAILED! => {
"changed": false,
"owner": "root",
"group": "root",
"mode": "0644",
"msg": "chgrp failed: failed to look up group php_sup.duckcorp.org",
"path": "/etc/zabbix/zabbix.conf.php",
"state": "file",
}
</pre>
DuckCorp Infrastructure - Review #704 (Resolved): duckcorp-infra: move supervision server
https://projects.duckcorp.org/issues/704
2020-07-08T03:04:18Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/duckcorp-infra.git" class="external"><code>duckcorp-infra/move_sup_server</code></a></p>
<p>Supervision server: use Orthos instead of Nicecity</p>
<p>Tested with check mode enabled only using the following command:<br /><pre>
ansible-playbook --check -vv --diff playbooks/dc.yml -l Orthos -e_pg_version=11 -ehttpd_version=2.4.38 -ephp_minor_version=7.3
</pre></p>
DuckCorp Infrastructure - Review #703 (Resolved): dc-web: improve check mode support
https://projects.duckcorp.org/issues/703
2020-07-08T02:52:52Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/duckcorp-infra.git" class="external"><code>duckcorp-infra/dc-web_check_mode</code></a></p>
Improve check mode support:
<ul>
<li>don't fail when <code>rsync</code> binary isn't installed</li>
<li>allow apache2_module to fail when check mode is enabled and apache2ctl isn't installed yet</li>
</ul>
DuckCorp Infrastructure - Review #702 (Resolved): ansible-role-httpd_php_fpm: improve check mode ...
https://projects.duckcorp.org/issues/702
2020-07-07T09:36:07Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/ansible-role-httpd_php_fpm" class="external"><code>ansible-role-httpd_php_fpm/improve_check_mode_handling</code></a></p>
Improve check mode support:
<ul>
<li>check mode: handle <code>apache2_module</code> failure</li>
<li>don't check paths existence when check mode is enabled</li>
<li>Check mode: don't fail when <code>php</code> binary isn't installed</li>
</ul>
One unrelated change included:
<ul>
<li>Ensure <code>php_minor_version</code> var isn't empty</li>
</ul>
DuckCorp Infrastructure - Review #701 (Resolved): ansible-role-zabbix: improve check mode support
https://projects.duckcorp.org/issues/701
2020-07-01T16:44:58Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/ansible-role-zabbix" class="external"><code>ansible-role-zabbix/check_mode_support</code></a>.</p>
Improve check mode support:
<ul>
<li>when <code>psycopg/PostgreSQL</code> isn't installed yet</li>
<li>always execute <code>timedatectl</code> command</li>
</ul>
DuckCorp Infrastructure - Review #700 (Resolved): ansible-role-zabbix: Use 'timedatectl show'
https://projects.duckcorp.org/issues/700
2020-07-01T16:39:30Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/ansible-role-zabbix" class="external"><code>ansible-role-zabbix/timedatectl_show_is_available</code></a>.</p>
<p><code>timedatectl show</code> <a href="https://manpages.debian.org/buster/systemd/timedatectl.1.en.html" class="external">is now documented</a> and works well with Buster: use it.</p>
DuckCorp Infrastructure - Review #687 (Resolved): encrypt ansible vault password (locally)
https://projects.duckcorp.org/issues/687
2020-03-10T15:53:45Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<ol>
<li><code>duckcorp/admin:encrypt_vault_password</code> branch: encrypt Ansible Vault password</li>
<li><code>duckcorp/duckcorp-infra:decrypt_vault_password</code> branch: decrypt Ansible Vault password when needed</li>
</ol>
DuckCorp Infrastructure - Review #686 (Resolved): enable fstrim
https://projects.duckcorp.org/issues/686
2020-02-19T07:58:07Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<p>Enable fstrim when at least one SSD is installed</p>
DuckCorp Infrastructure - Review #685 (Resolved): opendnssec isn't used anymore
https://projects.duckcorp.org/issues/685
2020-02-19T07:56:27Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<ul>
<li>purge opendnssec Debian package</li>
<li>update srv_dns_update_zone</li>
</ul>
DuckCorp Infrastructure - Review #681 (Resolved): Undefined attribute: mda_usergroup
https://projects.duckcorp.org/issues/681
2019-10-09T10:18:46Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<p>Fix the following error:</p>
<pre>
$ ansible-playbook playbooks/tenants/duckcorp/security.yml -u root
TASK [dc-antivirus : ClamAV Setup -- Connection Type] ***********************************************************************************************************************
fatal: [Orfeo]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'mda_usergroup'\n\nThe error appears to be in '/srv/share/src/duckcorp/duckcorp-infra.git/ansible/roles/dc-antivirus/tasks/main.yml': line 21, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n notify: Reconfigure ClamAV\n- name: ClamAV Setup -- Connection Type\n ^ here\n"}
</pre>
DuckCorp Infrastructure - Review #632 (Resolved): dropbear in initramfs: ansibilize
https://projects.duckcorp.org/issues/632
2018-08-26T00:03:37Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<pre>
$ apt-get install dropbear-initramfs
$ cp /root/.ssh/authorized_keys /etc/dropbear-initramfs/authorized_keys
$ update-initramfs -u -k all # when above command is changed
# Because default configuration doesn't work:
# @GRUB_CMDLINE_LINUX="ip=192.168.3.5::192.168.3.1:255.255.255.0::enp3s0f0:none cgroup_enable=memory swapaccount=1"@ in /etc/default/grub
$ update-grub # above command is changed when
<pre></pre>