You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@fluo.apache.org by GitBox <gi...@apache.org> on 2021/10/05 14:28:29 UTC
[GitHub] [fluo-muchos] brianloss opened a new pull request #411: Ensure packages are up to date.
brianloss opened a new pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411
* When installing on Azure, the default image is CentOS 7.5, which
does not have a new enough version of ca-certificates. The result is
downloads from Apache fail since SSL certificate verification fails.
Rather than simply upgrading ca-certificates, it seemed like a better
security stance to upgrade all packages that are installed in the
chosen image.
* InfluxDB appears to have changed their checksum, so updated the
associated checksums file.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] brianloss commented on a change in pull request #411: Ensure CA certificates are up to date.
Posted by GitBox <gi...@apache.org>.
brianloss commented on a change in pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411#discussion_r722429696
##########
File path: ansible/roles/common/tasks/main.yml
##########
@@ -21,6 +21,13 @@
retries: 10
delay: 15
until: epelresult is not failed
+# Update ca-certificates to ensure that CA certificates are new enough
+# to support SSL verification against websites used to download software
+- name: "update ca-certificates package to latest version"
+ yum:
+ name: 'ca-certificates*'
Review comment:
> > Note that it will only update and not install any new packages if the wildcard matches multiple.
>
> I did not realize that. Seems like that makes it pretty safe for any cases I can think of, but with something like this I would err on the side of caution.
The [update_only](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/yum_module.html#parameter-update_only) option to the yum module is what ensures it will only update installed packages matching the pattern to the latest version.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] brianloss commented on a change in pull request #411: Ensure CA certificates are up to date.
Posted by GitBox <gi...@apache.org>.
brianloss commented on a change in pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411#discussion_r722475117
##########
File path: ansible/roles/common/tasks/main.yml
##########
@@ -21,6 +21,13 @@
retries: 10
delay: 15
until: epelresult is not failed
+# Update ca-certificates to ensure that CA certificates are new enough
Review comment:
I was thinking that at first too, but I searched around for all `get_url` calls. There are definitely some (e.g., in ansible/roles/elasticsearch/tasks/main.yml as one example) that are invoked on the target host directly and not just the proxy.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] ctubbsii merged pull request #411: Update default Azure image to CentOS 7.9
Posted by GitBox <gi...@apache.org>.
ctubbsii merged pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] ctubbsii commented on a change in pull request #411: Ensure CA certificates are up to date.
Posted by GitBox <gi...@apache.org>.
ctubbsii commented on a change in pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411#discussion_r722491026
##########
File path: ansible/roles/proxy/tasks/main.yml
##########
@@ -25,3 +25,10 @@
file: path={{ tarballs_dir }} state=directory
- name: "copy /etc/hosts to proxy"
template: src=roles/proxy/templates/etc_hosts dest=/etc/etc_hosts owner=root group=root mode=0644
+# Update ca-certificates to ensure that CA certificates are new enough
+# to support SSL verification against websites used to download software
+- name: "update ca-certificates package to latest version"
+ yum:
+ name: 'ca-certificates*'
Review comment:
Why the wildcard? That seems questionable. RPMs are named based on artifact name, (epoch), version, and release (followed by arch). For YUM, it is sufficient to install/update by name only. See https://blog.jasonantman.com/2014/07/how-yum-and-rpm-compare-versions/
To install or update the ca-certificates RPM, it is sufficient to specify `ca-certificates`. Adding the wildcard would match on tangentially related packages, perhaps debug packages, or 3rd party packages that start with that pattern. It does help that `update_only` is specified, so you don't install any new packages, but it still implies that this could grab more than intended.
##########
File path: ansible/roles/influxdb/defaults/main.yml
##########
@@ -16,4 +16,4 @@
#
influxdb_rpm: influxdb-1.8.3.x86_64.rpm
-influxdb_checksum: "sha512:4c0557c24e5083e9d94d49cfad496f45421bb50aacf75737ca6bff36c8ef276af884c5419b5cc74e4fa1e8062e6bee18af53e3650eaa8a6ecd656346151ea87c"
+influxdb_checksum: "sha512:60abf31c70beb8a391ded82569532a255384516da0b3c287d20065fe7047be343c50b37bbe31d5dd8df4bcb31144ef696b90e21d6739ce375b7e4fc33bae4f03"
Review comment:
This is out of scope of this PR, and comes with security risks that need to be checked to ensure the RPM isn't modified in some way. Please put this in a separate PR, in case we need to discuss it. There's previous history with this. See #381
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] arvindshmicrosoft commented on a change in pull request #411: Ensure CA certificates are up to date.
Posted by GitBox <gi...@apache.org>.
arvindshmicrosoft commented on a change in pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411#discussion_r722463660
##########
File path: ansible/roles/common/tasks/main.yml
##########
@@ -21,6 +21,13 @@
retries: 10
delay: 15
until: epelresult is not failed
+# Update ca-certificates to ensure that CA certificates are new enough
Review comment:
I wonder if this is needed as part of the `common` role, given we usually do not directly download anything directly on the nodes (or maybe we do)?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] arvindshmicrosoft commented on pull request #411: Ensure CA certificates are up to date.
Posted by GitBox <gi...@apache.org>.
arvindshmicrosoft commented on pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411#issuecomment-934583340
Hi @brianloss as you mentioned re: older PR - I wonder if we should just start using the 7.9 image instead?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] brianloss commented on a change in pull request #411: Ensure CA certificates are up to date.
Posted by GitBox <gi...@apache.org>.
brianloss commented on a change in pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411#discussion_r722398740
##########
File path: ansible/roles/common/tasks/main.yml
##########
@@ -21,6 +21,13 @@
retries: 10
delay: 15
until: epelresult is not failed
+# Update ca-certificates to ensure that CA certificates are new enough
+# to support SSL verification against websites used to download software
+- name: "update ca-certificates package to latest version"
+ yum:
+ name: 'ca-certificates*'
Review comment:
On CentOS 7.5, ca-certificates appears like it would be enough. I didn't try to check all the potential distros, so that's part of why the wildcard at the end. Note that it will only update and not install any new packages if the wildcard matches multiple. I checked on an ubuntu machine and `apt search ca-certificates` shows matches for ca-certificates, ca-certificates-java, and ca-certificates-mono. Seems like it would be good to keep those in sync if they were installed (ca-certificates and ca-certificates-java were installed on my system).
That being said, I'm happy to reduce this to ca-certificates with no wildcard if you have concerns. Just let me know.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] brianloss commented on pull request #411: Update default Azure image to CentOS 7.9
Posted by GitBox <gi...@apache.org>.
brianloss commented on pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411#issuecomment-936199950
> > If we want to be more explicit and say CentOS 7.5 is too old and no longer supported, that's fine too.
>
> So, just to be clear, no versions are "supported". This repo is unreleased software created for internal testing by the Fluo (and Accumulo) developers. The intent is that the contents of the repo are what the developers are using, to make their lives easier. We don't do releases, and we don't do any kind of support. If devs are still doing testing of Fluo or Accumulo on 7.5, it's fine if we make that work. However, I don't see any reason they should still be testing on those versions, since there are more up-to-date versions of CentOS 7 to test with.
Sure, support was probably not the best choice of words. We have caveats for other things that are known not to work. Perhaps that doesn't make sense for the image version, especially since I don't really feel like figuring out which CentOS image is the first one with a new enough version of ca-certificates to work. :)
>
> > @arvindshmicrosoft suggested changing the image in muchos.props.example to 7.9. Let me know if you prefer that instead, and I'll either make that change, or address your other comments.
>
> Is 7.9 the latest 7? Strong +1 to just updating the example to use the latest CentOS 7 AMI, if that works.
@ctubbsii I updated the Azure default image. 7.9 is the latest 7.x on Azure. I don't have AWS resources to test, so I didn't make changes there. However, [this page](https://wiki.centos.org/Cloud/AWS) indicates official CentOS images are now published outside of the marketplace. It looks like ami-00e87074e52e6c9f9 is the latest 7.9 image for us-east-1. I'm happy to make that change if you're comfortable with it going in without testing.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] keith-turner commented on a change in pull request #411: Ensure CA certificates are up to date.
Posted by GitBox <gi...@apache.org>.
keith-turner commented on a change in pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411#discussion_r722390711
##########
File path: ansible/roles/common/tasks/main.yml
##########
@@ -21,6 +21,13 @@
retries: 10
delay: 15
until: epelresult is not failed
+# Update ca-certificates to ensure that CA certificates are new enough
+# to support SSL verification against websites used to download software
+- name: "update ca-certificates package to latest version"
+ yum:
+ name: 'ca-certificates*'
Review comment:
What do the package names look like? Wondering if this is the most specific the package pattern can be.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] brianloss commented on pull request #411: Ensure packages are up to date.
Posted by GitBox <gi...@apache.org>.
brianloss commented on pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411#issuecomment-934467019
Ha, I missed that @arvindshmicrosoft already had a similar PR for this out there, and I saw the comments. Given that, I can maybe limit updates on the proxy to include only ca-certificates so at least downloads can succeed without skipping SSL certificate verification.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] ctubbsii commented on a change in pull request #411: Ensure CA certificates are up to date.
Posted by GitBox <gi...@apache.org>.
ctubbsii commented on a change in pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411#discussion_r722859111
##########
File path: ansible/roles/proxy/tasks/main.yml
##########
@@ -25,3 +25,10 @@
file: path={{ tarballs_dir }} state=directory
- name: "copy /etc/hosts to proxy"
template: src=roles/proxy/templates/etc_hosts dest=/etc/etc_hosts owner=root group=root mode=0644
+# Update ca-certificates to ensure that CA certificates are new enough
+# to support SSL verification against websites used to download software
+- name: "update ca-certificates package to latest version"
+ yum:
+ name: 'ca-certificates*'
+ state: latest
+ update_only: yes
Review comment:
OBE if you update to latest CentOS 7 in the example props.
I think the wildcard should be dropped, because any other matching RPMs would be unexpected and who knows what they might contain. Keeping `update_only` is safer with the wildcard. Dropping the wildcard, I don't have a strong opinion about `update_only`. It'd be redundant, but harmless. In any case, all this is OBE if you update to the latest CentOS 7, which I think is better.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] ctubbsii commented on a change in pull request #411: Ensure CA certificates are up to date.
Posted by GitBox <gi...@apache.org>.
ctubbsii commented on a change in pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411#discussion_r722486782
##########
File path: ansible/roles/proxy/tasks/main.yml
##########
@@ -25,3 +25,10 @@
file: path={{ tarballs_dir }} state=directory
- name: "copy /etc/hosts to proxy"
template: src=roles/proxy/templates/etc_hosts dest=/etc/etc_hosts owner=root group=root mode=0644
+# Update ca-certificates to ensure that CA certificates are new enough
+# to support SSL verification against websites used to download software
+- name: "update ca-certificates package to latest version"
+ yum:
+ name: 'ca-certificates*'
+ state: latest
+ update_only: yes
Review comment:
update-only is a bit redundant here, since it will always be installed. I'm pretty sure it's part of the core packages.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] brianloss commented on pull request #411: Ensure CA certificates are up to date.
Posted by GitBox <gi...@apache.org>.
brianloss commented on pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411#issuecomment-934590578
> Hi @brianloss as you mentioned re: older PR - I wonder if we should just start using the 7.9 image instead?
@arvindshmicrosoft That's probably a good idea as well. I feel like updating the CA certs is a good protection that should help with deploying on older images and shouldn't hurt (or could argue is a good idea) for newer images as well.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] ctubbsii commented on a change in pull request #411: Ensure CA certificates are up to date.
Posted by GitBox <gi...@apache.org>.
ctubbsii commented on a change in pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411#discussion_r722486782
##########
File path: ansible/roles/proxy/tasks/main.yml
##########
@@ -25,3 +25,10 @@
file: path={{ tarballs_dir }} state=directory
- name: "copy /etc/hosts to proxy"
template: src=roles/proxy/templates/etc_hosts dest=/etc/etc_hosts owner=root group=root mode=0644
+# Update ca-certificates to ensure that CA certificates are new enough
+# to support SSL verification against websites used to download software
+- name: "update ca-certificates package to latest version"
+ yum:
+ name: 'ca-certificates*'
+ state: latest
+ update_only: yes
Review comment:
update-only is fine, but I think it is a bit redundant here, since it will always be installed. I'm pretty sure it's part of the core packages.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] ctubbsii commented on pull request #411: Update default Azure image to CentOS 7.9
Posted by GitBox <gi...@apache.org>.
ctubbsii commented on pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411#issuecomment-937479715
> I updated the Azure default image. 7.9 is the latest 7.x on Azure. I don't have AWS resources to test, so I didn't make changes there. However, [this page](https://wiki.centos.org/Cloud/AWS) indicates official CentOS images are now published outside of the marketplace. It looks like ami-00e87074e52e6c9f9 is the latest 7.9 image for us-east-1. I'm happy to make that change if you're comfortable with it going in without testing.
That's fine. We can update the AWS example AMI separately, once somebody has a chance to test that image. I have no reason to suspect it won't work, but I'm fine with waiting until somebody who needs it has time to test it. I was able to confirm the AMI for us-east-1 from the page at https://www.centos.org/download/aws-images/ as well as https://wiki.centos.org/Cloud/AWS
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] ctubbsii merged pull request #411: Update default Azure image to CentOS 7.9
Posted by GitBox <gi...@apache.org>.
ctubbsii merged pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] keith-turner commented on a change in pull request #411: Ensure CA certificates are up to date.
Posted by GitBox <gi...@apache.org>.
keith-turner commented on a change in pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411#discussion_r722409743
##########
File path: ansible/roles/common/tasks/main.yml
##########
@@ -21,6 +21,13 @@
retries: 10
delay: 15
until: epelresult is not failed
+# Update ca-certificates to ensure that CA certificates are new enough
+# to support SSL verification against websites used to download software
+- name: "update ca-certificates package to latest version"
+ yum:
+ name: 'ca-certificates*'
Review comment:
> On CentOS 7.5, ca-certificates appears like it would be enough.
Since Muchos is targeting centos, seems like if it could be more narrow that would be good.
> Note that it will only update and not install any new packages if the wildcard matches multiple.
I did not realize that. Seems like that makes it pretty safe for any cases I can think of, but with something like this I would err on the side of caution.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] brianloss commented on a change in pull request #411: Ensure CA certificates are up to date.
Posted by GitBox <gi...@apache.org>.
brianloss commented on a change in pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411#discussion_r722488107
##########
File path: ansible/roles/proxy/tasks/main.yml
##########
@@ -25,3 +25,10 @@
file: path={{ tarballs_dir }} state=directory
- name: "copy /etc/hosts to proxy"
template: src=roles/proxy/templates/etc_hosts dest=/etc/etc_hosts owner=root group=root mode=0644
+# Update ca-certificates to ensure that CA certificates are new enough
+# to support SSL verification against websites used to download software
+- name: "update ca-certificates package to latest version"
+ yum:
+ name: 'ca-certificates*'
+ state: latest
+ update_only: yes
Review comment:
I figured it was better to be safe since I added the wildcard. Would you prefer I remove it? If so, should I remove the wildcard too and limit the package to ca-certificates only?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] brianloss commented on pull request #411: Ensure CA certificates are up to date.
Posted by GitBox <gi...@apache.org>.
brianloss commented on pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411#issuecomment-934507454
Modified this PR to update only ca-certificates package. This will allow muchos to work when configured with older VM images where the CA certs were out of date and wouldn't work with the newer apache download servers.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] ctubbsii commented on a change in pull request #411: Ensure CA certificates are up to date.
Posted by GitBox <gi...@apache.org>.
ctubbsii commented on a change in pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411#discussion_r722486782
##########
File path: ansible/roles/proxy/tasks/main.yml
##########
@@ -25,3 +25,10 @@
file: path={{ tarballs_dir }} state=directory
- name: "copy /etc/hosts to proxy"
template: src=roles/proxy/templates/etc_hosts dest=/etc/etc_hosts owner=root group=root mode=0644
+# Update ca-certificates to ensure that CA certificates are new enough
+# to support SSL verification against websites used to download software
+- name: "update ca-certificates package to latest version"
+ yum:
+ name: 'ca-certificates*'
+ state: latest
+ update_only: yes
Review comment:
update_only is fine, but I think it is a bit redundant here, since it will always be installed. I'm pretty sure it's part of the core packages.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] ctubbsii commented on a change in pull request #411: Ensure CA certificates are up to date.
Posted by GitBox <gi...@apache.org>.
ctubbsii commented on a change in pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411#discussion_r722857402
##########
File path: ansible/roles/influxdb/defaults/main.yml
##########
@@ -16,4 +16,4 @@
#
influxdb_rpm: influxdb-1.8.3.x86_64.rpm
-influxdb_checksum: "sha512:4c0557c24e5083e9d94d49cfad496f45421bb50aacf75737ca6bff36c8ef276af884c5419b5cc74e4fa1e8062e6bee18af53e3650eaa8a6ecd656346151ea87c"
+influxdb_checksum: "sha512:60abf31c70beb8a391ded82569532a255384516da0b3c287d20065fe7047be343c50b37bbe31d5dd8df4bcb31144ef696b90e21d6739ce375b7e4fc33bae4f03"
Review comment:
Addressed in #412
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] ctubbsii commented on pull request #411: Update default Azure image to CentOS 7.9
Posted by GitBox <gi...@apache.org>.
ctubbsii commented on pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411#issuecomment-937479715
> I updated the Azure default image. 7.9 is the latest 7.x on Azure. I don't have AWS resources to test, so I didn't make changes there. However, [this page](https://wiki.centos.org/Cloud/AWS) indicates official CentOS images are now published outside of the marketplace. It looks like ami-00e87074e52e6c9f9 is the latest 7.9 image for us-east-1. I'm happy to make that change if you're comfortable with it going in without testing.
That's fine. We can update the AWS example AMI separately, once somebody has a chance to test that image. I have no reason to suspect it won't work, but I'm fine with waiting until somebody who needs it has time to test it. I was able to confirm the AMI for us-east-1 from the page at https://www.centos.org/download/aws-images/ as well as https://wiki.centos.org/Cloud/AWS
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] brianloss commented on pull request #411: Ensure CA certificates are up to date.
Posted by GitBox <gi...@apache.org>.
brianloss commented on pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411#issuecomment-934666660
> This seems like a more narrow version of the currently stalled PR #408
>
> The question there was essentially: Why not just expect one to use an up-to-date base image? If the base image is out of date, the user can add this themselves, or update it with cloud-init or the equivalent, rather than try to bloat our ansible setup, which should probably just focus on setting up our stuff on top of the base image. See discussion on #408 for more.
It is a more narrow version of #408. I tried to do what is effectively a vanilla install on azure with the example defaults, and it failed in a somewhat confusing manner because packages couldn't be downloaded from the Apache mirrors. The SSL cert validation failed because the CAs were out of date. I wouldn't call it bloat to ensure that the underlying image is updated to the minimums necessary to run the ansible playbooks (in this case executing get_url against apache servers). If we want to be more explicit and say CentOS 7.5 is too old and no longer supported, that's fine too. @arvindshmicrosoft suggested changing the image in muchos.props.example to 7.9. Let me know if you prefer that instead, and I'll either make that change, or address your other comments.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] ctubbsii commented on pull request #411: Ensure CA certificates are up to date.
Posted by GitBox <gi...@apache.org>.
ctubbsii commented on pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411#issuecomment-935352808
> I wouldn't call it bloat to ensure that the underlying image is updated to the minimums necessary to run the ansible playbooks (in this case executing get_url against apache servers).
I just think using an updated image makes more sense.
> If we want to be more explicit and say CentOS 7.5 is too old and no longer supported, that's fine too.
So, just to be clear, no versions are "supported". This repo is unreleased software created for internal testing by the Fluo (and Accumulo) developers. The intent is that the contents of the repo are what the developers are using, to make their lives easier. We don't do releases, and we don't do any kind of support. If devs are still doing testing of Fluo or Accumulo on 7.5, it's fine if we make that work. However, I don't see any reason they should still be testing on those versions, since there are more up-to-date versions of CentOS 7 to test with.
> @arvindshmicrosoft suggested changing the image in muchos.props.example to 7.9. Let me know if you prefer that instead, and I'll either make that change, or address your other comments.
Is 7.9 the latest 7? Strong +1 to just updating the example to use the latest CentOS 7 AMI, if that works.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org