There are s390-koji01 and db-s390-koji01 hosts (guests) prepared for the new Fedora/s390x hub.
what should be done before we consider the hub ready - switch builders to new certs from Fedora CA instead of using loal CA - install koji-builder on the hub, it is used to run newRepo tasks - implement "shared shadow setup" from https://lists.fedoraproject.org/pipermail/rel-eng/2015-April/019805.html
Can you provide the fqdn for all the builders we need to make certs for?
I've added koji builder role on the hub there, but it needs a cert (like the others).
I guess the shared shadow setup will need someone to convert that sh script into an ansible role?
Replying to [comment:1 kevin]:
the builders are fedoraX.s390.bos.redhat.com where X=1..7
I have used s390.koji.fedoraproject.org for the hub's cert
Yes, and it will need some more thinking how to convert it to ansible and how to do it better, like converting to schemes Fedora uses for its servers, etc
When I'm thinking about it right now it is - the group writeable /home/shadow dir, initialize git there again writeable by a group - the group for people that can log in - use a new group in FAS? should every arch has own group? can ansible update their default $PATH and umask (in .bash_profile)? - apache config snipped to make the shadow dir published over http
But we can polish the details on the releng list so more people can influence it. AFAIK pbrobinson liked the idea.
certs have been made and put in ansible-private
my proposal for the 1st phase (without the multiuser setup) is following: - stop the old hub (httpd) - make a dump of the koji db - update DNS entries for s390.koji.fp.o and s390pkgs.fp.o - update firewall access and NAT rules - might need RH IT for updating the rules on the RH<->Fedora border fw - import the db dump - switch host certs on the builders - start the new hub (httpd)
Did I miss something?
I'd prefer a slightly different one:
That avoid us having to deal with dns and firewall rules. Thoughts?
Replying to [comment:6 kevin]:
I'd prefer a slightly different one: stop old hub make db dump import db dump swap ip addresses between old and new hubs. This will bring the new one 'live' without needing RHIT firewall changes or dns changes. (except internal). switch host certs start new hub That avoid us having to deal with dns and firewall rules. Thoughts?
yeah, that's a better option
Looks like we are going to try and do this switchover friday morning (2015-07-24).
The 1st phase should be over, there are first successful newRepo and build tasks now.
The required changes to the pre-installed hub were - add /mnt/koji export to /etc/httpd/conf.d/kojihub.conf - revert the "no SSL retry" patch 4de27c52d in koji 1.10 on the hub and builders
I'll go and close this now.
we can open new tickets for the ongoing work when we have a exact plan.
Login to comment on this ticket.