Hi,
We need a certificate to be able to write to the above topic and hierarchy below.
My GPG key is: curl https://keybase.io/thrix/key.asc
I work for OSCI / Testing Farm team
Which kind of certificate? Are you going to be using fedmsg or fedora-messaging? Talking to which bus? I assume prod based on the topic...
Metadata Update from @kevin: - Issue priority set to: Waiting on Assignee (was: Needs Review)
@kevin We are going to use fedora-messaging, i.e. the AMQP based bus. And yes - prod bus.
Done. See out of band email.
Metadata Update from @kevin: - Issue assigned to kevin - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Also started our side of this https://pagure.io/fedora-infrastructure/issue/7977
@kevin I cannot find the out of band email, where did you send it please? My email address is mvadkert@redhat.com ...
Thats the address I used. I just resent it from internal...let me know if you get it.
@kevin got it now! thanks very much!
Metadata Update from @mvadkert: - Issue status updated to: Open (was: Closed)
@kevin sorry for reopening, could we also get certs for dev and staging busses please? Seems as this is something we are developing, better to not use only production ...
@kevin, I cannot get my certificate working. This is the configuration file I use, but no luck with it.
Could you provide details what is wrong on my setup?
# fedora-messaging --conf /etc/fedora-messaging/testing-farm.toml consume [INFO fedora_messaging.cli] Starting consumer with fedora_messaging.example:printer callback [INFO fedora_messaging._session] Authenticating with server using x509 (certfile: /etc/fedora-messaging/testing-farm-cert.pem, keyfile: /etc/fedora-messaging/testing-farm-key.pem) [INFO twisted] Starting factory FedoraMessagingFactoryV2(parameters=<URLParameters host=rabbitmq.fedoraproject.org port=5671 virtual_host=/pubsub ssl=True>, confirms=True) [ERROR fedora_messaging.cli] The TCP connection appears to have started, but the TLS or AMQP handshake with the broker failed; check your connection and authentication parameters and ensure your user has permission to access the vhost [INFO twisted] <twisted.internet.tcp.Connector instance at 0x7f1fef521a90 disconnected IPv4Address(type='TCP', host='rabbitmq.fedoraproject.org', port=5671)> will retry in 2 seconds [INFO twisted] Stopping factory FedoraMessagingFactoryV2(parameters=<URLParameters host=rabbitmq.fedoraproject.org port=5671 virtual_host=/pubsub ssl=True>, confirms=True) [INFO fedora_messaging.twisted.protocol] Disconnect requested, but AMQP connection already gone [INFO fedora_messaging.twisted.protocol] Disconnect requested, but AMQP connection already gone [INFO twisted] Main loop terminated.
# cat /etc/fedora-messaging/testing-farm.toml amqp_url = "amqps://testing-farm:@rabbitmq.fedoraproject.org/%2Fpubsub" callback = "fedora_messaging.example:printer" [tls] ca_cert = "/etc/fedora-messaging/ca.crt" keyfile = "/etc/fedora-messaging/testing-farm-key.pem" certfile = "/etc/fedora-messaging/testing-farm-cert.pem" [client_properties] app = "Testing Farm Scheduler" # Some suggested extra fields: # URL of the project that provides this consumer app_url = "https://github.com/fedora-infra/fedora-messaging" # Contact emails for the maintainer(s) of the consumer - in case the # broker admin needs to contact them, for e.g. app_contacts_email = ["mvadkert@redhat.com"] [exchanges."amq.topic"] type = "topic" durable = true auto_delete = false arguments = {} # Queue names *must* be in the normal UUID format: run "uuidgen" and use the # output as your queue name. If your queue is not exclusive, anyone can connect # and consume from it, causing you to miss messages, so do not share your queue # name. Any queues that are not auto-deleted on disconnect are garbage-collected # after approximately one hour. # # If you require a stronger guarantee about delivery, please talk to Fedora's # Infrastructure team. [queues.a8497df6-3ca0-476a-9700-8332f43e1198] durable = false auto_delete = true exclusive = true arguments = {} [[bindings]] queue = "a8497df6-3ca0-476a-9700-8332f43e1198" exchange = "amq.topic" routing_keys = ["#"] # Set this to the specific topics you are interested in. [consumer_config] example_key = "for my consumer" [qos] prefetch_size = 0 prefetch_count = 25 [log_config] version = 1 disable_existing_loggers = true [log_config.formatters.simple] format = "[%(levelname)s %(name)s] %(message)s" [log_config.handlers.console] class = "logging.StreamHandler" formatter = "simple" stream = "ext://sys.stdout" [log_config.loggers.fedora_messaging] level = "INFO" propagate = false handlers = ["console"] [log_config.loggers.twisted] level = "INFO" propagate = false handlers = ["console"] [log_config.loggers.pika] level = "WARNING" propagate = false handlers = ["console"] # If your consumer sets up a logger, you must add a configuration for it # here in order for the messages to show up. e.g. if it set up a logger # called 'example_printer', you could do: #[log_config.loggers.example_printer] #level = "INFO" #propagate = false #handlers = ["console"] [log_config.root] level = "ERROR" handlers = ["console"]
The default fedora account for reading works on my machine.
04:04 < pingou> mvadkert: wild guess: the username was not created on the rabbitmq server
indeed the testing-farm user seems to be non-existant. What would be the best place in ansible for this kind of declaration? (since it's not tied to an app we host). It's just a rabbitmq_user module call.
rabbitmq_user
@abompard would it be a problem to get it created manually for now, so I get unblocked, pretty please? And thanks for looking!
I wonder if we shouldn't have a dedicated playbook for this (since there will be more apps like this one, we could then centralize them all in one playbook)
The user is created, it will be testing-farm.stg on testing and testing-farm on prod, and it requires the corresponding SSL certificate.
testing-farm.stg
testing-farm
You can use the queue named testing-farm and testing-farm.stg on staging. This means changing your [queues.XXX] section and your [[bindings]] section.
[queues.XXX]
[[bindings]]
You must also set passive_declares = true in the top (nameless) section of your configuration file.
passive_declares = true
Feel free to ping me on IRC if things still don't work.
staging cert sent out of band. We don't have a dev bus. :(
Is this all done then? Or is there more to do here?
Let us know if there is anything more to do on this from our end.
:tractor:
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Sorry for the late reply, I am all set, thanks very much
Commit ab31f6fc fixes this issue
Login to comment on this ticket.