I've written an openQA plugin which should emit fedmsg's, via fedmsg-logger. Right now it basically does this:
fedmsg-logger --cert-prefix=openqa --modname=openqa --topic=job.done --json-input --message=(somejson)
the topic varies, of course, job.done is an example. I'm hardcoding a certificate prefix for now (the default is 'shell', which I don't think is what we want).
So now I need the openqa hosts - openqa01 and openqa-stg01 - to be set up such that this fedmsg-logger command will send an appropriately-signed message to the appropriate place. I'm pretty sure I need someone to create a cert and key for each. I think I'm meant to add something like this to the group vars: {{{ fedmsg_certs: - service: openqa owner: root group: geekotest can_send: (list of topics) }}} which should, I think, cause something like /etc/pki/fedmsg/openqa-(hostname).crt and /etc/pki/fedmsg/openqa-(hostname).key to appear on each host, and then I think fedmsg-logger should sign the messages with that key. But I believe the keys and certs have to be generated and added to the private store first, right?
(I'll also have to deal with the fact that fedmsg/base doesn't work for QA hosts, by running it then removing the bad bits or copying the bits I need or something, but that's another problem).
I'll take this on. We're going to need some other pieces too (like a firewall rule whitelisting the openqa nodes, for which we'll need a freeze break request).
We can at least get staging moving along for now.
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org/thread/HH2FFEORFFONAQJSQEIOQKPSZ7WWKH7E/
So we're definitely getting somewhere with this! I can now apparently send messages from staging openQA and fedmsg-tail on the same machine sees them, apparently with correct signatures. Not sure if they're getting out to the real world.
There's still a couple things wrong in the fedmsg config for QA hosts which I had to hack up: policy.py is created (which I think you meant to leave out), and the relay.py from fedmsg/base is installed but seems not to work, it prevents fedmsg-relay from starting up, claiming it can't connect to any outgoing endpoints. Overwriting it with the relay.py from the package seems to make things work.
I threw in a silly 'fixes' role for openqa temporarily to wipe policy.py and overwrite relay.py with the packaged file, until we can shake those bugs out. I'm gonna turn it on for prod and see what happens...
So I'm having a bit of a struggle with relay.py, I think.
If I use the packaged one, which uses 127.0.0.1 for both relay_inbound and relay_outbound, everything appears to work, but published messages don't make it out to the 'real' fedmsg I don't think (if I fedmsg-tail on the server itself, I see the messages, but if I fedmsg-tail on my desktop, I don't).
If I use the relay_outbound from the fedmsg/base role, which points to some internal server, fedmsg-relay fails to start up because it cannot connect to that server.
I tried a hybrid relay.py with the relay_inbound from fedmsg/base and the relay_outbound from the package (127.0.0.1), and fedmsg-relay starts up, but sent fedmsg's don't seem to appear on the local system or on the 'real' bus (I don't see them with a fedmsg-tail on my desktop).
Welp, seems to be working now! We have openQA fedmsgs appearing from prod at least. Ralph is debugging staging. Thanks for all the help!
Login to comment on this ticket.