There is always something to do if you run the infrastructure for such a big project like openSUSE....

Our Admin wiki currently lists over 80 machines - and while we already "salted" some of them, there is always room for improvement and room to learn something new just by making your hands dirty and diving into the administrator role for a machine.

During this project, I like to work on services on old machines and will try to bring them into a maintainable state again.

Looking for hackers with the skills:

opensuse infrastructure

This project is part of:

Hack Week 19 Hack Week 20

Activity

  • over 3 years ago: lrupp liked this project.
  • over 3 years ago: asmorodskyi joined this project.
  • over 3 years ago: danrodriguez liked this project.
  • over 3 years ago: SLindoMansilla joined this project.
  • over 3 years ago: SLindoMansilla liked this project.
  • over 3 years ago: dgedon liked this project.
  • over 3 years ago: ories liked this project.
  • over 3 years ago: hennevogel liked this project.
  • almost 5 years ago: keichwa liked this project.
  • almost 5 years ago: bmwiedemann liked this project.
  • almost 5 years ago: lrupp added keyword "opensuse" to this project.
  • almost 5 years ago: lrupp added keyword "infrastructure" to this project.
  • almost 5 years ago: lrupp started this project.
  • almost 5 years ago: lrupp originated this project.

  • Comments

    • lrupp
      over 3 years ago by lrupp | Reply

      Results of day 1:

      Working on backup

      Created a new machine to host generic backups in the future. At the moment, the openSUSE infrastructure does not really have any backup, so it might be a good idea to start with it. This machine is running in the heroes infrastructure now and providing 3TB backup space for machines.

      Speeding up Gitlab

      While installing the latest GitLab updates, we noticed the following error in the unicorn.stderr.log

      Unicorn::HttpServer:0x000055cbe4834bf8>: worker (pid: 5662) exceeds memory limit (702132224.0 bytes > 485455550 bytes)

      So the Unicorn worker has not enough memory to run properly. Let's check the documentation...

      ...and adjust the environment variables via systemd: systemctl edit gitlab-ce-unicorn.service

      > [Service]
      > Environment="GITLABUNICORNMEMORYMAX=1073741824" "GITLABUNICORNMEMORYMIN=805306368"

      this should be enough to get a more responsive WebUI. But we did not stop here and started to work on our CI pipelines.

      In our Salt-CI, we use Docker containers to run some test scripts. Let's have a look at their test runtimes:

      • validate 1:50
      • upstream formulas show highstate 3:17
      • show highstate 3:35
      • test nginx 4:04
      • test sudo 4:38

      So we have a total runtime for all tests of: 17:24 min. A very long time!

      One culprint was, that our CI did not define a specialized container. So it felt back to the standard container, which is defined in the Gitlab-Runner config: registry.opensuse.org/opensuse/leap:15.2. As this base image does neither include the packages needed for testing nor additional repositories, our script to prepare the test environment was required to add these repositories and install the missing packages (~85 RPMs) again and again for each test run.

      With the help of Darix, we were able to setup two new Container images in our openSUSE:infrastructure repository:

      • container-heroes-base - we based this on the openSUSE Leap 15.2 container from above, but already added our own repository and the package with our internal certificates. This image can be the base for any further images we want to run in our infrastructure.
      • container-heroes-salt-testing - This container uses the latest heroes-base container and installs the packages that were installed by the preparation script before.

      Together with the following change in our ~/.gitlab-ci.yml: image: registry.opensuse.org/opensuse/infrastructure/containers/heroes-salt-testing:latest we were able to reduce the test runtime to:

      • validate 0:50
      • upstream formulas show highstate 2:06
      • show highstate 1:43
      • test nginx 2:49
      • test sudo 3:34

      Which reduced the runtime to 11:02 min (~63%).

      With more specialized Docker images for the nginx and sudo tests, we should be able to reduce the time even more (below 10min?), but the next bigger step might be to distribute as many tests as possible and run them in parallel.

      Last but not least, defining:

      > variables:
      > DOCKER_DRIVER: overlay2

      in our ~/.gitlab-ci.yml resulted in a few seconds less, but this might not be that relevant.

    • lrupp
      over 3 years ago by lrupp | Reply

      Results of day 2:

      15.3 upgrades

      Did you know that we already reached the Beta phase of our glorious, "conservative" part of the openSUSE distribution?

      15.3 is knocking at the door and some of the openSUSE infrastructure is already using it!

      Our status page, some of our static pages, one DNS server and some more machines have already been migrated from 15.2 to 15.3 add-emoji

      Workflow (if the 'baseurl' in your '*.repo' files below /etc/zypp/repos.d/ contains '$releasever' in the URL):

       zypper clean -a
       zypper --releasever 15.3 ref
       zypper --releasever 15.3 dup --allow-vendor-change
       cd /etc/products.d/ && ln -sf Leap.prod baseproduct
       zypper --non-interactive purge-kernels && grub2-mkconfig -o /boot/grub2/grub.cfg
       reboot
      

      Some stuff above is needed because there are still some rogue edges in the Beta version, but in general everything worked and runs smoothly.

      DNSSec

      ~10 years ago (WOW!), we decided to use FreeIPA to manage the openSUSE hero admin accounts as well as the DNS domain. Until today, the (meanwhile ~80 openSUSE heroes) manage 31 different DNS domains. Some of them are internal, but many of them are public domains, somehow related to openSUSE.

      As we want to enable DNSSec, it is time to review the setup and check what needs to be done:

      • split out the DNS management from the old FreeIPA installation (go with a "keep it simple" approach)
      • our internal, hidden master should learn to manage DNSSec - best case with little to no effort for us
      • provide a nice and shiny WebUI for those, who don't like vi but need to update DNS records

      We searched around and came to the conclusion that we will keep our internal DNS master running on PowerDNS, but extend it with PowerDNS-Admin, a nice WebUI for managing the PowerDNS server and it's zones. As the WebUI currently requires some more current Python packages than those which are available on Leap 15.3, we decided to create a dedicated repository in OBS for it.

      Thanks to pdns-util and Darix' console Kung-Fu, all DNS zones have been migrated away from FreeIPA in nearly no time.

      So it looks like we are just one click away from enabling DNSSec for the opensuse.org DNS zone on the PowerDNS side. Sadly we ran out of time this week to work further on this. But we will start the first DNSSec tests in the next days with some of the domains which are not used at the moment. Once this looks fine, we will try to utilize the API of our Registrar to exchange the signing keys automatically. So there might be some bumby road ahead (depending on the permission to access the API), but we are a big step forward to get DNSSec implemented this year.

    Similar Projects

    New migration tool for Leap by lkocman

    Update

    I will call a meeting with other interested people at 11:00 CET https://meet.opensuse.org/migrationtool

    Description

    SLES 16 plans to have no yast tool in it. Leap 16 might keep some bits, however, we need a new tool for Leap to SLES migration, as this was previously handled by a yast2-migration-sle

    Goals

    A tool able to migrate Leap 16 to SLES 16, I would like to cover also other scenarios within openSUSE, as in many cases users would have to edit repository files manually.

    • Leap -> SLES docs
    • Leap 15 -> Leap 16 (or generally within Leap releases)
    • Leap -> Tumbleweed
    • Leap -> Slowroll

    Out of scope is any migration to an immutable system. I know Richard already has some tool for that.

    Resources

    code-o-o/leap/features#173 YaST stack reduction

    Repository

    github


    Enlightenment in Leap 16 by simotek

    Description

    Get the Enlightenment stack + X11 building and running on the Leap 16 codebase.

    Goals

    • Get enlightenment / terminology compiling for Leap 16
    • Test that they are running correctly in a Virtual Machine.

    Resources


    Create openSUSE images for Arm/RISC-V boards by avicenzi

    Project Description

    Create openSUSE images (or test generic EFI images) for Arm and/or RISC-V boards that are not yet supported.

    Goal for this Hackweek

    Create bootable images of Tumbleweed for SBCs that currently have no images available or are untested.

    Consider generic EFI images where possible, as some boards can hold a bootloader.

    Document in the openSUSE Wiki how to flash and use the image for a given board.

    Boards that I have around and there are no images:

    • Rock 3B
    • Nano PC T3 Plus
    • Lichee RV D1
    • StartFive VisionFive (has some image needs testing)

    Hack Week 22

    Hack Week 21

    Resources


    New openSUSE-welcome by lkocman

    Project Description

    Let's revisit our existing openSUSE welcome app.

    My goal was to show Leap 16 in a new coat. Welcome app adds to the first time use experience. We've recently added donation button to our existing welcome.

    Some things that I recently wanted to address were EOL and possibly upgrade notification.

    I've already done some experiments with mint welcome app, but not sure if it's better than the existing one.

    There is also a PR to rework existing app https://github.com/openSUSE/openSUSE-welcome/pull/36 (this should be considered as an option too)

    Goal for this Hackweek

    New welcome app, possibly with EOL notification for Leap.

    1) Welcome application(s) with (rebrand changes) maintained under github.com/openSUSE

    2) Application is submitted to openSUSE:Factory && openSUSE:Leap:16.0

    3) Updated needles in openQA (probably post hackweek)

    Resources

    Reddit discussion about the best welcome app out there.

    Github repo for the current welcome app.


    Update Haskell ecosystem in Tumbleweed to GHC-9.10.x by psimons

    Description

    We are currently at GHC-9.8.x, which a bit old. So I'd like to take a shot at the latest version of the compiler, GHC-9.10.x. This is gonna be interesting because the new version requires major updates to all kinds of libraries and base packages, which typically means patching lots of packages to make them build again.

    Goals

    Have working builds of GHC-9.10.x and the required Haskell packages in 'devel:languages:haskell` so that we can compile:

    • git-annex
    • pandoc
    • xmonad
    • cabal-install

    Resources

    • https://build.opensuse.org/project/show/devel:languages:haskell/
    • https://github.com/opensuse-haskell/configuration/
    • #discuss-haskell
    • https://www.twitch.tv/peti343