#7965 Topic for Testing Farm - org.centos.prod.testing-farm.>
Closed: Fixed 9 days ago by kevin. Opened 2 months ago by mvadkert.

Hi,

We need a certificate to be able to write to the above topic and hierarchy below.

My GPG key is: curl https://keybase.io/thrix/key.asc

I work for OSCI / Testing Farm team


Which kind of certificate? Are you going to be using fedmsg or fedora-messaging? Talking to which bus? I assume prod based on the topic...

Metadata Update from @kevin:
- Issue priority set to: Waiting on Assignee (was: Needs Review)

2 months ago

@kevin We are going to use fedora-messaging, i.e. the AMQP based bus. And yes - prod bus.

Done. See out of band email.

Metadata Update from @kevin:
- Issue assigned to kevin
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 months ago

@kevin I cannot find the out of band email, where did you send it please? My email address is mvadkert@redhat.com ...

Thats the address I used. I just resent it from internal...let me know if you get it.

@kevin got it now! thanks very much!

Metadata Update from @mvadkert:
- Issue status updated to: Open (was: Closed)

a month ago

@kevin sorry for reopening, could we also get certs for dev and staging busses please? Seems as this is something we are developing, better to not use only production ...

@kevin, I cannot get my certificate working. This is the configuration file I use, but no luck with it.

Could you provide details what is wrong on my setup?

# fedora-messaging --conf /etc/fedora-messaging/testing-farm.toml consume
[INFO fedora_messaging.cli] Starting consumer with fedora_messaging.example:printer callback
[INFO fedora_messaging._session] Authenticating with server using x509 (certfile: /etc/fedora-messaging/testing-farm-cert.pem, keyfile: /etc/fedora-messaging/testing-farm-key.pem)
[INFO twisted] Starting factory FedoraMessagingFactoryV2(parameters=<URLParameters host=rabbitmq.fedoraproject.org port=5671 virtual_host=/pubsub ssl=True>, confirms=True)
[ERROR fedora_messaging.cli] The TCP connection appears to have started, but the TLS or AMQP handshake with the broker failed; check your connection and authentication parameters and ensure your user has permission to access the vhost
[INFO twisted] <twisted.internet.tcp.Connector instance at 0x7f1fef521a90 disconnected IPv4Address(type='TCP', host='rabbitmq.fedoraproject.org', port=5671)> will retry in 2 seconds
[INFO twisted] Stopping factory FedoraMessagingFactoryV2(parameters=<URLParameters host=rabbitmq.fedoraproject.org port=5671 virtual_host=/pubsub ssl=True>, confirms=True)
[INFO fedora_messaging.twisted.protocol] Disconnect requested, but AMQP connection already gone
[INFO fedora_messaging.twisted.protocol] Disconnect requested, but AMQP connection already gone
[INFO twisted] Main loop terminated.
# cat /etc/fedora-messaging/testing-farm.toml
amqp_url = "amqps://testing-farm:@rabbitmq.fedoraproject.org/%2Fpubsub"
callback = "fedora_messaging.example:printer"

[tls]
ca_cert = "/etc/fedora-messaging/ca.crt"
keyfile = "/etc/fedora-messaging/testing-farm-key.pem"
certfile = "/etc/fedora-messaging/testing-farm-cert.pem"

[client_properties]
app = "Testing Farm Scheduler"
# Some suggested extra fields:
# URL of the project that provides this consumer
app_url = "https://github.com/fedora-infra/fedora-messaging"
# Contact emails for the maintainer(s) of the consumer - in case the
# broker admin needs to contact them, for e.g.
app_contacts_email = ["mvadkert@redhat.com"]

[exchanges."amq.topic"]
type = "topic"
durable = true
auto_delete = false
arguments = {}

# Queue names *must* be in the normal UUID format: run "uuidgen" and use the
# output as your queue name. If your queue is not exclusive, anyone can connect
# and consume from it, causing you to miss messages, so do not share your queue
# name. Any queues that are not auto-deleted on disconnect are garbage-collected
# after approximately one hour.
#
# If you require a stronger guarantee about delivery, please talk to Fedora's
# Infrastructure team.
[queues.a8497df6-3ca0-476a-9700-8332f43e1198]
durable = false
auto_delete = true
exclusive = true
arguments = {}

[[bindings]]
queue = "a8497df6-3ca0-476a-9700-8332f43e1198"
exchange = "amq.topic"
routing_keys = ["#"]  # Set this to the specific topics you are interested in.

[consumer_config]
example_key = "for my consumer"

[qos]
prefetch_size = 0
prefetch_count = 25

[log_config]
version = 1
disable_existing_loggers = true

[log_config.formatters.simple]
format = "[%(levelname)s %(name)s] %(message)s"

[log_config.handlers.console]
class = "logging.StreamHandler"
formatter = "simple"
stream = "ext://sys.stdout"

[log_config.loggers.fedora_messaging]
level = "INFO"
propagate = false
handlers = ["console"]

[log_config.loggers.twisted]
level = "INFO"
propagate = false
handlers = ["console"]

[log_config.loggers.pika]
level = "WARNING"
propagate = false
handlers = ["console"]

# If your consumer sets up a logger, you must add a configuration for it
# here in order for the messages to show up. e.g. if it set up a logger
# called 'example_printer', you could do:
#[log_config.loggers.example_printer]
#level = "INFO"
#propagate = false
#handlers = ["console"]

[log_config.root]
level = "ERROR"
handlers = ["console"]

The default fedora account for reading works on my machine.

04:04 < pingou> mvadkert: wild guess: the username was not created on the rabbitmq server

indeed the testing-farm user seems to be non-existant. What would be the best place in ansible for this kind of declaration? (since it's not tied to an app we host). It's just a rabbitmq_user module call.

@abompard would it be a problem to get it created manually for now, so I get unblocked, pretty please? And thanks for looking!

indeed the testing-farm user seems to be non-existant. What would be the best place in ansible for this kind of declaration? (since it's not tied to an app we host). It's just a rabbitmq_user module call.

I wonder if we shouldn't have a dedicated playbook for this (since there will be more apps like this one, we could then centralize them all in one playbook)

The user is created, it will be testing-farm.stg on testing and testing-farm on prod, and it requires the corresponding SSL certificate.

You can use the queue named testing-farm and testing-farm.stg on staging. This means changing your [queues.XXX] section and your [[bindings]] section.

You must also set passive_declares = true in the top (nameless) section of your configuration file.

Feel free to ping me on IRC if things still don't work.

staging cert sent out of band. We don't have a dev bus. :(

Is this all done then? Or is there more to do here?

Let us know if there is anything more to do on this from our end.

:tractor:

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

9 days ago

Sorry for the late reply, I am all set, thanks very much

Login to comment on this ticket.

Metadata