rootroot/fedora-infrastructure
1
0
Fork 0
Code Issues 74 Pull requests Projects Releases Packages Wiki Activity Actions

please don't remove enrolled centos machines from IPA in staging #12514

New issue
Open
opened 2025-04-24 07:11:56 +00:00 by arrfab · 7 comments
arrfab commented 2025-04-24 07:11:56 +00:00 (Migrated from pagure.io)
Copy link

As CentOS and Fedora are using shared IPA backend for authentication, I'd request that nothing touching enrolled centos machines in IPA would be done (manually or through scripts)
I had to just waste my time this morning investigating why ipsilon (https://id.stg.centos.org) wasn't allowing anyone to auth (and so no openidc for services using our ipsilon instance)

Someone (who ? or a script ?) removed ipsilon.stg.iad2.centos.org from the ipsilon HBAC rule, denying so all auth requests .

Can you identify the root cause and ensure it wouldn't happen again please ?

Thanks a lot

As CentOS and Fedora are using shared IPA backend for authentication, I'd request that nothing touching enrolled centos machines in IPA would be done (manually or through scripts) I had to just waste my time this morning investigating why ipsilon (https://id.stg.centos.org) wasn't allowing anyone to auth (and so no openidc for services using our ipsilon instance) Someone (who ? or a script ?) removed `ipsilon.stg.iad2.centos.org` from the ipsilon HBAC rule, denying so all auth requests . Can you identify the root cause and ensure it wouldn't happen again please ? Thanks *a lot*
zlopez commented 2025-04-24 07:13:06 +00:00 (Migrated from pagure.io)
Copy link

Metadata Update from @zlopez:

  • Issue priority set to: Waiting on Assignee (was: Needs Review)
  • Issue tagged with: Needs investigation, high-gain, ops
**Metadata Update from @zlopez**: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: Needs investigation, high-gain, ops
arrfab commented 2025-04-24 07:17:39 +00:00 (Migrated from pagure.io)
Copy link

seems related to https://pagure.io/fedora-infra/ansible/blob/main/f/playbooks/groups/ipsilon.yml#_92 ...

seems related to https://pagure.io/fedora-infra/ansible/blob/main/f/playbooks/groups/ipsilon.yml#_92 ...
arrfab commented 2025-04-24 07:17:40 +00:00 (Migrated from pagure.io)
Copy link

Metadata Update from @arrfab:

  • Issue untagged with: Needs investigation, high-gain, ops
  • Issue priority set to: Needs Review (was: Waiting on Assignee)
**Metadata Update from @arrfab**: - Issue **un**tagged with: Needs investigation, high-gain, ops - Issue priority set to: Needs Review (was: Waiting on Assignee)
zlopez commented 2025-04-24 07:19:08 +00:00 (Migrated from pagure.io)
Copy link

Metadata Update from @zlopez:

  • Issue priority set to: Waiting on Assignee (was: Needs Review)
  • Issue tagged with: Needs investigation, high-gain, ops
**Metadata Update from @zlopez**: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: Needs investigation, high-gain, ops
zlopez commented 2025-04-24 07:23:54 +00:00 (Migrated from pagure.io)
Copy link

The change you are referring to happened 4 years ago. So I assume that didn't caused the machine to be removed.

The [change](https://pagure.io/fedora-infra/ansible/c/e92d0dda1a54a8576586450578f8873ce920530d) you are referring to happened 4 years ago. So I assume that didn't caused the machine to be removed.
kevin commented 2025-04-24 17:33:19 +00:00 (Migrated from pagure.io)
Copy link

Metadata Update from @kevin:

  • Issue assigned to kevin
**Metadata Update from @kevin**: - Issue assigned to kevin
kevin commented 2025-04-24 17:33:22 +00:00 (Migrated from pagure.io)
Copy link

It's actually https://pagure.io/fedora-infra/ansible/blob/main/f/playbooks/groups/ipsilon.yml#_101

It was using the wrong hostname... but that was set in 2021?
b8e6754f97c (Aurélien Bompard 2021-03-22 17:07:45 +0100 101) host: "{{ (env == 'production')|ternary('ipsilon.iad2.centos.org', 'centos-ipa-client02.stg.iad2.fedoraproject.org') }}"

anyhow, I changed it to ipsilon.stg.iad2.centos.org

If you can confirm it's fixed / working?

It's actually https://pagure.io/fedora-infra/ansible/blob/main/f/playbooks/groups/ipsilon.yml#_101 It was using the wrong hostname... but that was set in 2021? b8e6754f97c (Aurélien Bompard 2021-03-22 17:07:45 +0100 101) host: "{{ (env == 'production')|ternary('ipsilon.iad2.centos.org', 'centos-ipa-client02.stg.iad2.fedoraproject.org') }}" anyhow, I changed it to ipsilon.stg.iad2.centos.org If you can confirm it's fixed / working?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: rootroot/fedora-infrastructure#12514
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?