open-build-service-debian merge requestshttps://gitlab.collabora.com/obs/open-build-service-debian/-/merge_requests2022-04-01T09:40:52Zhttps://gitlab.collabora.com/obs/open-build-service-debian/-/merge_requests/28Disable rate limiting in Apache as it interferes with downloads2022-04-01T09:40:52ZAndrej Shaduraandrew.shadura@collabora.co.ukDisable rate limiting in Apache as it interferes with downloadsAny protection of this kind is best done elsewhere e.g. in the frontend
proxy.
See https://phabricator.apertis.org/T8569Any protection of this kind is best done elsewhere e.g. in the frontend
proxy.
See https://phabricator.apertis.org/T8569https://gitlab.collabora.com/obs/open-build-service-debian/-/merge_requests/27Move hostname ip entry to the end of /etc/hosts2022-03-17T13:54:29ZRitesh Raj SarrafMove hostname ip entry to the end of /etc/hostsspymemcached package is FTBFS because a test expects a reverse lookup of
127.0.0.1 to return localhost, but current /etc/hosts configuration
returns the hostname instead.
Let's move this `hostname/ip` entry to the end of /etc/hosts so t...spymemcached package is FTBFS because a test expects a reverse lookup of
127.0.0.1 to return localhost, but current /etc/hosts configuration
returns the hostname instead.
Let's move this `hostname/ip` entry to the end of /etc/hosts so the
reverse lookup of 127.0.0.1 returns localhost, which makes sense to be
the default case usually.
Signed-off-by: Ariel D'Alessandro <ariel.dalessandro@collabora.com>
Signed-off-by: Ritesh Raj Sarraf <ritesh.sarraf@collabora.com>https://gitlab.collabora.com/obs/open-build-service-debian/-/merge_requests/26Generate the backend image2022-01-31T08:51:29ZAndrej Shaduraandrew.shadura@collabora.co.ukGenerate the backend imageMove the backend image generation from obs/docker-obs> and skip Debian packages entirely.
Note: change target branch after !25 has been merged.Move the backend image generation from obs/docker-obs> and skip Debian packages entirely.
Note: change target branch after !25 has been merged.https://gitlab.collabora.com/obs/open-build-service-debian/-/merge_requests/25Simplify the container setup2021-12-08T14:33:09ZAndrej Shaduraandrew.shadura@collabora.co.ukSimplify the container setupAs described in [T31547](https://phabricator.collabora.com/T31547), this merge request removes the following from the front-end image:
* Apache + mod_passenger
* MariaDB
* memcached
MariaDB and memcached are best provided by separately ...As described in [T31547](https://phabricator.collabora.com/T31547), this merge request removes the following from the front-end image:
* Apache + mod_passenger
* MariaDB
* memcached
MariaDB and memcached are best provided by separately maintainer container images, while there really is no need to run Apache and terminate TLS inside of the front-end container. Instead of Apache + Passenger, use Puma, which seems to be the standard solution for cases like this.
After this MR is accepted, the `obs-api` container can be replaced by the following configuration (in terms of Docker Compose):
```yaml
obs-db:
image: mariadb:10.6
restart: unless-stopped
volumes:
- /srv/docker/obs-api/mysql:/var/lib/mysql
environment:
MARIADB_ROOT_PASSWORD: someobs
MARIADB_DATABASE: obsapi
MARIADB_USER: obs-api
MARIADB_PASSWORD: someobs
networks:
- obs
cache:
image: memcached:1.6-alpine
restart: unless-stopped
networks:
- obs
obs-frontend:
depends_on:
- obs-server
image: obs/obs-frontend
hostname: obs-api
restart: unless-stopped
environment:
DB_HOST: obs-db
DB_PORT: 3306
DB_ROOT_PASSWORD: someobs
DB_NAME: obsapi
DB_USER: obs-api
DB_PASSWORD: someobs
OBS_BACKEND_HOST: obs-server
OBS_FRONTEND_WORKERS: 4
networks:
- obs
ports:
- "127.0.0.1:3000:3000"
depends_on:
- obs-db
- cache
```https://gitlab.collabora.com/obs/open-build-service-debian/-/merge_requests/24Add OmniAuth OpenID Connect support2021-11-22T15:20:52ZAndrej Shaduraandrew.shadura@collabora.co.ukAdd OmniAuth OpenID Connect supportAdd `omniauth-openid-connect` and other related gems in order to support
OpenID Connect in OmniAuth. A better choice would have been
`omniauth_openid_connect`, but its dependencies require newer Ruby and
Ruby on Rails.
Bring as much as ...Add `omniauth-openid-connect` and other related gems in order to support
OpenID Connect in OmniAuth. A better choice would have been
`omniauth_openid_connect`, but its dependencies require newer Ruby and
Ruby on Rails.
Bring as much as possible from the packages to avoid
accidental breakage.https://gitlab.collabora.com/obs/open-build-service-debian/-/merge_requests/23Allow looking up users by an email address2021-09-15T15:17:34ZAndrej Shaduraandrew.shadura@collabora.co.ukAllow looking up users by an email address<s>Looking up users by an email address is necessary for e.g. authentication mediator to work.
This does not pose any greater privacy or security risk than the currently available APIs, since they already allow finding a user by their em...<s>Looking up users by an email address is necessary for e.g. authentication mediator to work.
This does not pose any greater privacy or security risk than the currently available APIs, since they already allow finding a user by their email address, albeit much slower (list all users, iterate over users, request emails; possible to optimise by first checking users with usernames similar to their email addresses).</s>
Apparently this works:
```
$ osc api "/search/person?match=@email='hvogel@suse.com'"
<collection matches="1">
<person>
<login>hennevogel</login>
<email>hvogel@suse.com</email>
<realname>Hendrik Vogelsang</realname>
<state>confirmed</state>
<globalrole>Staff</globalrole>
</person>
</collection>
```https://gitlab.collabora.com/obs/open-build-service-debian/-/merge_requests/22Fix paths in the fix-embedded-js.patch to absolute2021-05-27T12:19:16ZAndrej Shaduraandrew.shadura@collabora.co.ukFix paths in the fix-embedded-js.patch to absoluteRelative paths fail to load from non-root pages.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>Relative paths fail to load from non-root pages.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>https://gitlab.collabora.com/obs/open-build-service-debian/-/merge_requests/21OBS SSO implementation2021-06-24T07:54:04ZAndrej Shaduraandrew.shadura@collabora.co.ukOBS SSO implementationThis is work in progress, see https://phabricator.apertis.org/T7891.This is work in progress, see https://phabricator.apertis.org/T7891.https://gitlab.collabora.com/obs/open-build-service-debian/-/merge_requests/20Really apply the OBS ACL patches2021-02-05T13:58:23ZRitesh Raj SarrafReally apply the OBS ACL patchesRitesh Raj SarrafRitesh Raj Sarrafhttps://gitlab.collabora.com/obs/open-build-service-debian/-/merge_requests/19Make obs-worker depend on either libarchive-tools or bsdtar2020-04-16T11:08:40ZAndrej Shaduraandrew.shadura@collabora.co.ukMake obs-worker depend on either libarchive-tools or bsdtarSince libarchive 3.2.1-2 bsdtar has been provided by libarchive-tools, while 3.4.0-1 dropped bsdtar transitional package completely.Since libarchive 3.2.1-2 bsdtar has been provided by libarchive-tools, while 3.4.0-1 dropped bsdtar transitional package completely.https://gitlab.collabora.com/obs/open-build-service-debian/-/merge_requests/18Fix changelog for d/changelog2021-01-25T16:20:19ZRitesh Raj SarrafFix changelog for d/changelogSigned-off-by: Ritesh Raj Sarraf <ritesh.sarraf@collabora.com>Signed-off-by: Ritesh Raj Sarraf <ritesh.sarraf@collabora.com>https://gitlab.collabora.com/obs/open-build-service-debian/-/merge_requests/17Wip/ritesh/clean up obs packaging2020-03-17T15:01:42ZRitesh Raj SarrafWip/ritesh/clean up obs packagingBuilt successfully on my local Stretch Pbuilder imageBuilt successfully on my local Stretch Pbuilder imagehttps://gitlab.collabora.com/obs/open-build-service-debian/-/merge_requests/16WIP: Enable HTTPS communication between services2021-11-22T15:15:43ZAndrej Shaduraandrew.shadura@collabora.co.ukWIP: Enable HTTPS communication between servicesWhen workers and services are located in different networks, we don’t want to send traffic unencrypted and open to anyone to listen to.
Make it possible to easily opt in to HTTPS communication by changing the service URLs in `BSConfig`.When workers and services are located in different networks, we don’t want to send traffic unencrypted and open to anyone to listen to.
Make it possible to easily opt in to HTTPS communication by changing the service URLs in `BSConfig`.https://gitlab.collabora.com/obs/open-build-service-debian/-/merge_requests/15Acl hacks2019-12-04T08:33:37ZVivek Das MohapatraAcl hackshttps://phabricator.apertis.org/T5645
Permit private (access-disabled) projects to be used by other projects for build dependencies.
- Other private projects need no special permissions
- Public (access-enabled) projects must be whiteli...https://phabricator.apertis.org/T5645
Permit private (access-disabled) projects to be used by other projects for build dependencies.
- Other private projects need no special permissions
- Public (access-enabled) projects must be whitelisted by the private project
- This is via an <allowbuilddep name="name-of-public-project"/> in the private project's meta config
- Users with read permission for a public project but not for a project it depends on may view the public project's meta config but will not be able to (safely) save it.https://gitlab.collabora.com/obs/open-build-service-debian/-/merge_requests/14Backport the autopkgtests added to the Debian OBS package2019-04-03T08:41:49ZLucas KanashiroBackport the autopkgtests added to the Debian OBS packageAll the test cases are passing successfully in my local environment. I am using the autopkgtest's `qemu` backend with a Debian stretch vm created using `vmdeboostrap`.All the test cases are passing successfully in my local environment. I am using the autopkgtest's `qemu` backend with a Debian stretch vm created using `vmdeboostrap`.https://gitlab.collabora.com/obs/open-build-service-debian/-/merge_requests/13T13997 Upgrading from OBS 2.7.1 to 2.7.42019-03-27T02:41:24ZHéctor Orón MartínezT13997 Upgrading from OBS 2.7.1 to 2.7.4Create obsapi and manage services with it.
Backport fixes from `debian/master` branch.Create obsapi and manage services with it.
Backport fixes from `debian/master` branch.Andrew LeeAndrew Leehttps://gitlab.collabora.com/obs/open-build-service-debian/-/merge_requests/12Move patch to publish asc files out of the collabora folder2019-04-03T08:42:24ZLucas KanashiroMove patch to publish asc files out of the collabora folderIt is an upstream-able patch (it was already submitted upstream),
so there is no collabora specifics here.It is an upstream-able patch (it was already submitted upstream),
so there is no collabora specifics here.https://gitlab.collabora.com/obs/open-build-service-debian/-/merge_requests/11Publish ddeb files2019-03-25T12:14:42ZLucas KanashiroPublish ddeb filesThis MR depends on !7This MR depends on !7https://gitlab.collabora.com/obs/open-build-service-debian/-/merge_requests/10worker: override DefaultTasksMax2019-03-22T12:46:13ZHéctor Orón Martínezworker: override DefaultTasksMaxThe following error
```
[ 67s] Unpacking gcc-7 (7.3.0-16ubuntu3) ...
[ 67s] dpkg-deb: unrecoverable fatal error, aborting:
[ 67s] fork failed: Resource temporarily unavailable
[ 67s] dpkg: error processing archive /var/cach...The following error
```
[ 67s] Unpacking gcc-7 (7.3.0-16ubuntu3) ...
[ 67s] dpkg-deb: unrecoverable fatal error, aborting:
[ 67s] fork failed: Resource temporarily unavailable
[ 67s] dpkg: error processing archive /var/cache/apt/archives/gcc-7_7.3.0-16ubuntu3_i386.deb (--unpack):
[ 67s] dpkg-deb --fsys-tarfile subprocess returned error exit status 2
[ 67s] dpkg: unrecoverable fatal error, aborting:
[ 67s] fork failed: Resource temporarily unavailable
[ 67s] /usr/sbin/debootstrap: 996: /usr/sbin/debootstrap: Cannot fork
[...]
```
happens since all builds happen in the same cgroup which is limited to 4915
tasks by systemd's per-service defaults. If it reaches a total of
4915 tasks (processes and threads) calls like `fork()`, `clone()`,
`pthread_create()` will fail.
Raise the limit to 64000 processes, which is similar to the NPROC rlimit that would be used if the cgroup didn't impose a task limit at all.
This is a short term fix proposed by Simon McVittie, while the long term
solution should place each `bs_worker` instance in its own systemd-managed
cgroup. The default task limit of 4915 might then be adequate.
Signed-off-by: Héctor Orón Martínez <hector.oron@collabora.com>https://gitlab.collabora.com/obs/open-build-service-debian/-/merge_requests/9Revert "Merge branch 'T13142-TasksMax' into 'collabora/master'"2019-03-22T09:44:28ZHéctor Orón MartínezRevert "Merge branch 'T13142-TasksMax' into 'collabora/master'"This reverts merge request !8This reverts merge request !8