Migration doesn't migrate issue attachments properly

kparal commented

2025-12-04 11:23:59 +00:00

The issue attachments from Pagure repos are not migrated properly. The migrated image hyperlinks are give 404.

Example (image in initial comment): https://pagure.io/fedora-qa/testdays-web/issue/47
Migrated issue: https://forge.stg.fedoraproject.org/quality/testdays-web/issues/47
Pagure image link (works): https://pagure.io/fedora-qa/testdays-web/issue/raw/files/e55e4df624a67f458bfdd0ffcf4439a404140ab10b08fe488bd5d9e428970b17-Screenshot_From_2025-05-15_12-55-51.png
Forge image link (broken): https://forge.stg.fedoraproject.org/fedora-qa/testdays-web/issue/raw/files/e55e4df624a67f458bfdd0ffcf4439a404140ab10b08fe488bd5d9e428970b17-Screenshot_From_2025-05-15_12-55-51.png

Example2 (image in subsequent comment): https://pagure.io/fedora-qa/testdays-web/issue/55
Migrated issue: https://forge.stg.fedoraproject.org/quality/testdays-web/issues/55

The issue attachments from Pagure repos are not migrated properly. The migrated image hyperlinks are give 404. Example (image in initial comment): https://pagure.io/fedora-qa/testdays-web/issue/47 Migrated issue: https://forge.stg.fedoraproject.org/quality/testdays-web/issues/47 Pagure image link (works): https://pagure.io/fedora-qa/testdays-web/issue/raw/files/e55e4df624a67f458bfdd0ffcf4439a404140ab10b08fe488bd5d9e428970b17-Screenshot_From_2025-05-15_12-55-51.png Forge image link (broken): https://forge.stg.fedoraproject.org/fedora-qa/testdays-web/issue/raw/files/e55e4df624a67f458bfdd0ffcf4439a404140ab10b08fe488bd5d9e428970b17-Screenshot_From_2025-05-15_12-55-51.png Example2 (image in subsequent comment): https://pagure.io/fedora-qa/testdays-web/issue/55 Migrated issue: https://forge.stg.fedoraproject.org/quality/testdays-web/issues/55

ryanlerch commented

2025-12-08 01:29:49 +00:00

Owner

Closing this one as a duplicate. WE have this one, where we investigated actaully importing all the attachments:

#262

And this one is still open tracking the redirect route that we are taking:

#275

Closing this one as a duplicate. WE have this one, where we investigated actaully importing all the attachments: https://forge.fedoraproject.org/forge/forge/issues/262 And this one is still open tracking the redirect route that we are taking: https://forge.fedoraproject.org/forge/forge/issues/275

ryanlerch closed this issue

2025-12-08 01:29:49 +00:00

kparal commented

2025-12-08 09:52:47 +00:00

Author

Thanks, Ryan. Does this mean that I can count on those migrated attachment links to get functional once #275 is in place? Or is it safer to halt our migrations at this point and wait until this is resolved in one way or another?

kparal commented

2025-12-09 09:45:16 +00:00

Author

All the tickets are closed but the attachments still don't work, so I'm reopening this ticket.

For production Forge, all the attachment links still give 404, example:
quality/fedora-easy-karma#58 (reference)

For staging Forge, the attachment tries to load for a long time, and then gives 503, example:
https://forge.stg.fedoraproject.org/quality/testdays-web/issues/55 (reference)

All the tickets are closed but the attachments still don't work, so I'm reopening this ticket. For production Forge, all the attachment links still give 404, example: https://forge.fedoraproject.org/quality/fedora-easy-karma/issues/58 ([reference](https://pagure.io/fedora-easy-karma/issue/58)) For staging Forge, the attachment tries to load for a long time, and then gives 503, example: https://forge.stg.fedoraproject.org/quality/testdays-web/issues/55 ([reference](https://pagure.io/fedora-qa/testdays-web/issue/55))

kparal reopened this issue

2025-12-09 09:45:16 +00:00

adamwill commented

2025-12-17 19:06:52 +00:00

In the proxy logs I see this:

[Wed Dec 17 19:01:56.860855 2025] [proxy_http:error] [pid 2447754:tid 2447810] (70008)Partial results are valid but processing is incomplete: [client 95.42.140.84:0] AH01110: error reading response
[Wed Dec 17 19:02:04.098075 2025] [ssl:error] [pid 2436154:tid 2442639] [remote 38.145.32.39:443] AH02039: Certificate Verification: Error (20): unable to get local issuer certificate
[Wed Dec 17 19:02:04.098170 2025] [proxy:error] [pid 2436154:tid 2442639] (20014)Internal error (specific information not available): [client 108.172.38.211:0] AH01084: pass request body failed to 38.145.32.39:443 (stg.pagure.io)
[Wed Dec 17 19:02:04.098181 2025] [proxy:error] [pid 2436154:tid 2442639] [client 108.172.38.211:0] AH00898: Error during SSL Handshake with remote server returned by /quality/testdays-web/fedora-qa/testdays-web/issue/raw/files/e55e4df624a67f458bfdd0ffcf4439a404140ab10b08fe488bd5d9e428970b17-Screenshot_From_2025-05-15_12-55-51.png
[Wed Dec 17 19:02:04.098190 2025] [proxy_http:error] [pid 2436154:tid 2442639] [client 108.172.38.211:0] AH01097: pass request body failed to 38.145.32.39:443 (stg.pagure.io) from 127.0.0.1 ()

which indicates the issue is with SSL. Though just doing curl https://stg.pagure.io from a console on the proxy works fine, so that's a bit odd.

But I also see another issue. If you use a browser debug console you can see the attachment URL it tries to get is something like:

https://forge.stg.fedoraproject.org/quality/testdays-web/fedora-qa/testdays-web/issue/raw/files/e55e4df624a67f458bfdd0ffcf4439a404140ab10b08fe488bd5d9e428970b17-Screenshot_From_2025-05-15_12-55-51.png

note the start of the URL has both quality/testdays-web - which is the group/repo on forgejo - and fedora-qa/testdays-web - which is the group/repo on pagure. The HTTP config snippet we put in place is:

ProxyPassMatch ^/(.+?)/issue/raw/files/(.*)$ https://stg.pagure.io/$1/issue/raw/files/$2

so I don't think that would work even if the SSL issue was resolved; I think we'd wind up trying to get:

https://stg.pagure.io/quality/testdays-web/fedora-qa/testdays-web/issue/raw/files/e55e4df624a67f458bfdd0ffcf4439a404140ab10b08fe488bd5d9e428970b17-Screenshot_From_2025-05-15_12-55-51.png

and that's going to be 404. Also I don't understand why the config snippet was written that way - the text between the two match groups is identical on both sides, so wouldn't:

ProxyPassMatch ^/(.+?/issue/raw/files/.*)$ https://stg.pagure.io/$1

have been much simpler? anyway.

In the proxy logs I see this: ``` [Wed Dec 17 19:01:56.860855 2025] [proxy_http:error] [pid 2447754:tid 2447810] (70008)Partial results are valid but processing is incomplete: [client 95.42.140.84:0] AH01110: error reading response [Wed Dec 17 19:02:04.098075 2025] [ssl:error] [pid 2436154:tid 2442639] [remote 38.145.32.39:443] AH02039: Certificate Verification: Error (20): unable to get local issuer certificate [Wed Dec 17 19:02:04.098170 2025] [proxy:error] [pid 2436154:tid 2442639] (20014)Internal error (specific information not available): [client 108.172.38.211:0] AH01084: pass request body failed to 38.145.32.39:443 (stg.pagure.io) [Wed Dec 17 19:02:04.098181 2025] [proxy:error] [pid 2436154:tid 2442639] [client 108.172.38.211:0] AH00898: Error during SSL Handshake with remote server returned by /quality/testdays-web/fedora-qa/testdays-web/issue/raw/files/e55e4df624a67f458bfdd0ffcf4439a404140ab10b08fe488bd5d9e428970b17-Screenshot_From_2025-05-15_12-55-51.png [Wed Dec 17 19:02:04.098190 2025] [proxy_http:error] [pid 2436154:tid 2442639] [client 108.172.38.211:0] AH01097: pass request body failed to 38.145.32.39:443 (stg.pagure.io) from 127.0.0.1 () ``` which indicates the issue is with SSL. Though just doing `curl https://stg.pagure.io` from a console on the proxy works fine, so that's a bit odd. But I also see another issue. If you use a browser debug console you can see the attachment URL it tries to get is something like: ``` https://forge.stg.fedoraproject.org/quality/testdays-web/fedora-qa/testdays-web/issue/raw/files/e55e4df624a67f458bfdd0ffcf4439a404140ab10b08fe488bd5d9e428970b17-Screenshot_From_2025-05-15_12-55-51.png ``` note the start of the URL has both `quality/testdays-web` - which is the group/repo on forgejo - *and* `fedora-qa/testdays-web` - which is the group/repo on pagure. The HTTP config snippet we put in place is: ``` ProxyPassMatch ^/(.+?)/issue/raw/files/(.*)$ https://stg.pagure.io/$1/issue/raw/files/$2 ``` so I don't think that would work even if the SSL issue was resolved; I think we'd wind up trying to get: ``` https://stg.pagure.io/quality/testdays-web/fedora-qa/testdays-web/issue/raw/files/e55e4df624a67f458bfdd0ffcf4439a404140ab10b08fe488bd5d9e428970b17-Screenshot_From_2025-05-15_12-55-51.png ``` and that's going to be 404. Also I don't understand why the config snippet was written that way - the text between the two match groups is identical on both sides, so wouldn't: ``` ProxyPassMatch ^/(.+?/issue/raw/files/.*)$ https://stg.pagure.io/$1 ``` have been much simpler? anyway.

adamwill referenced this issue

2025-12-17 19:08:08 +00:00

Test out the attachment redirects and retain one that works #326

adamwill commented

2025-12-17 19:25:14 +00:00

Oh, and there's yet another problem: we migrated from prod pagure to staging forgejo, but the redirect is hardcoded to assume staging pagure. testdays-web doesn't actually exist on staging pagure - there's no https://stg.pagure.io/fedora-qa/testdays-web/ at all. Still, that wouldn't be a problem in production at least.

Oh, and there's yet another problem: we migrated from *prod* pagure to *staging* forgejo, but the redirect is hardcoded to assume staging pagure. testdays-web doesn't actually exist on staging pagure - there's no https://stg.pagure.io/fedora-qa/testdays-web/ at all. Still, that wouldn't be a problem in production at least.

adamwill commented

2025-12-17 20:28:07 +00:00

So...poking at the SSL aspect of this... If I do curl -4 https://stg.pagure.io/fedora-qa/blocker-review from either staging proxy (using -4 because httpd seems to be using IPv4 so I want to reproduce that), it works instantly. If I do openssl s_client -4 -showcerts -connect stg.pagure.io:443, it immediately runs most of the way and says "Verify return code: 0 (ok)", then gets stuck at read R BLOCK for 20-30 seconds, then prints closed and exits. Not sure why there's the delay at the end, but that mostly looks OK, at least it doesn't indicate any SSL issues.

So I don't know why the proxying is failing with SSL errors :/

So...poking at the SSL aspect of this... If I do `curl -4 https://stg.pagure.io/fedora-qa/blocker-review` from either staging proxy (using `-4` because httpd seems to be using IPv4 so I want to reproduce that), it works instantly. If I do `openssl s_client -4 -showcerts -connect stg.pagure.io:443`, it immediately runs most of the way and says "Verify return code: 0 (ok)", then gets stuck at `read R BLOCK` for 20-30 seconds, then prints `closed` and exits. Not sure why there's the delay at the end, but that mostly looks OK, at least it doesn't indicate any SSL issues. So I don't know why the proxying is failing with SSL errors :/

adamwill commented

2025-12-17 20:57:41 +00:00

Aha, I think I see the issue. Further on in /etc/httpd/conf.d/forge.stg.fedoraproject.org/forge.conf on the proxies is this:

SSLProxyVerify require
SSLProxyCheckPeerName Off
SSLProxyCACertificateFile "/etc/haproxy/ocp-stg-rdu3.pem"

which I think means we use that as the source of trusted CAs for proxy requests. This seems to be to do with some proxying to do with balancer stuff - it comes from https://pagure.io/fedora-infra/ansible/blob/main/f/roles/httpd/reverseproxy/templates/reversepassproxy.conf . But I think it causes us to not trust the certificate of stg.pagure.io (or pagure.io) because don't use certs signed by the OCP CA, they use Let's Encrypt certs.

If I change SSLProxyVerify require to SSLProxyVerify none, I get a 404 (which is expected because of the path problem and the 'testdays-web doesn't exist on staging pagure' problem) instead of SSL errors. There's still about a two minute delay. I think this might be caused by trying IPv6 and then falling back to IPv4 after a timeout; openssl s_client without the -4 behaves much the same.

There is a https://pagure.io/fedora-infra/ansible/blob/main/f/roles/httpd/reverseproxy/templates/reversepassproxy.conf-nonopenshift-rdu3 that seems to be a sort of alternative to reversepassproxy.conf. openQA uses that one, for instance. It does not have an SSLProxyCACertificateFile directive. But I'm not totally sure whether using it for forge would be the right fix, and what the implications of that are.

Edit: https://access.redhat.com/solutions/5058261 notes that "with the Apache httpd version 2.4.30 and later SSLProxyCACertificateFile and SSLProxyProtocol is allowed in proxy section context". So we could probably change reversepassproxy.conf to specify the options it wants within each <Proxy> block, not outside them, and that might resolve this.

I can't figure out yet how to force ProxyPass to use IPv4, though :/

Aha, I think I see the issue. Further on in `/etc/httpd/conf.d/forge.stg.fedoraproject.org/forge.conf` on the proxies is this: ``` SSLProxyVerify require SSLProxyCheckPeerName Off SSLProxyCACertificateFile "/etc/haproxy/ocp-stg-rdu3.pem" ``` which I think means we use that as the source of trusted CAs for proxy requests. This seems to be to do with some proxying to do with balancer stuff - it comes from https://pagure.io/fedora-infra/ansible/blob/main/f/roles/httpd/reverseproxy/templates/reversepassproxy.conf . But I think it causes us to not trust the certificate of stg.pagure.io (or pagure.io) because don't use certs signed by the OCP CA, they use Let's Encrypt certs. If I change `SSLProxyVerify require` to `SSLProxyVerify none`, I get a 404 (which is expected because of the path problem and the 'testdays-web doesn't exist on staging pagure' problem) instead of SSL errors. There's still about a two minute delay. I *think* this might be caused by trying IPv6 and then falling back to IPv4 after a timeout; `openssl s_client` without the `-4` behaves much the same. There is a https://pagure.io/fedora-infra/ansible/blob/main/f/roles/httpd/reverseproxy/templates/reversepassproxy.conf-nonopenshift-rdu3 that seems to be a sort of alternative to reversepassproxy.conf. openQA uses that one, for instance. It does not have an SSLProxyCACertificateFile directive. But I'm not totally sure whether using it for forge would be the right fix, and what the implications of that are. Edit: https://access.redhat.com/solutions/5058261 notes that "with the Apache httpd version 2.4.30 and later SSLProxyCACertificateFile and SSLProxyProtocol is allowed in proxy section context". So we could probably change `reversepassproxy.conf` to specify the options it wants *within each `<Proxy>` block*, not outside them, and that might resolve this. I can't figure out yet how to force ProxyPass to use IPv4, though :/

adamwill commented

2025-12-17 22:46:08 +00:00

so, we dealt with the IPv6 thing by fiddling with DNS so the host only resolves to IPv4 internally. Adding this to the httpd config file solves the SSL issue:

<Proxy "https://stg.pagure.io">
SSLProxyVerify require
SSLProxyVerifyDepth 2
SSLProxyCACertificateFile "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
</Proxy>

and that just leaves the doubled-path thing to figure out, I think. Will look at that next.

so, we dealt with the IPv6 thing by fiddling with DNS so the host only resolves to IPv4 internally. Adding this to the httpd config file solves the SSL issue: ``` <Proxy "https://stg.pagure.io"> SSLProxyVerify require SSLProxyVerifyDepth 2 SSLProxyCACertificateFile "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" </Proxy> ``` and that just leaves the doubled-path thing to figure out, I think. Will look at that next.

adamwill commented

2025-12-18 01:03:32 +00:00

https://pagure.io/fedora-infra/ansible/pull-request/3006 fixes the SSL issue and the path issue (which turned out to be due to some...interesting forgejo behavior). There's still the problem of whether it's better for staging forgejo to proxy to prod or staging pagure, but that's at least only an issue for staging.

I did notice another problem while working on this: the text immediately before the image isn't rendered right either. On Pagure it looks like this:

On Forgejo it looks like this:

I assume this is to do with sanitization, but just displaying the HTML tags as plain text ought to be perfectly safe...I've filed a Forgejo issue on that.

https://pagure.io/fedora-infra/ansible/pull-request/3006 fixes the SSL issue and the path issue (which turned out to be due to some...[interesting forgejo behavior](https://codeberg.org/forgejo/forgejo/issues/6360#issuecomment-9010932)). There's still the problem of whether it's better for staging forgejo to proxy to prod or staging pagure, but that's at least only an issue for staging. I did notice another problem while working on this: the text immediately before the image isn't rendered right either. On Pagure it looks like this: ![image](/attachments/0b092638-01db-4699-bc78-1fbef4a39ca8) On Forgejo it looks like this: ![image](/attachments/f5800f04-1138-4e32-99ba-cdaaf1548c25) I assume this is to do with sanitization, but just displaying the HTML tags as plain text ought to be perfectly safe...I've [filed a Forgejo issue](https://codeberg.org/forgejo/forgejo/issues/10472) on that.

image.png

92 KiB

image.png

59 KiB

adamwill commented

2026-01-02 17:04:22 +00:00

Oh, forgot to update here: I went ahead and did a slightly ugly fix to specifically proxy testdays-web requests from staging forgejo to prod pagure, so the test testdays-web migration should be 'really fixed' now. Please take a look and see if everything looks good, if so I think we could close this.

Oh, forgot to update here: I went ahead and did a [slightly ugly fix](https://pagure.io/fedora-infra/ansible/blob/main/f/roles/httpd/reverseproxy/templates/reversepassproxy.forge.conf#_18) to specifically proxy testdays-web requests from staging forgejo to prod pagure, so the test testdays-web migration should be 'really fixed' now. Please take a look and see if everything looks good, if so I think we could close this.

kparal commented

2026-01-06 12:20:52 +00:00

Author

@adamwill can you please summarize the current status? Is this supposed to be fixed both for forge.prod and forge.stg? And why is that testdays-web exception (above) necessary?

I still don't see images in quality/fedora-easy-karma#58 (compare with https://pagure.io/fedora-easy-karma/issue/58 ), so this doesn't seem to be working fully yet.

As for stg vs prod, ideally the migration script should remember where it migrated the project from (whether pagure.prod or pagure.stg), and the images should link to that location (regardless whether it's on forge.stg or forge.prod). If that's not possible/easy to do, then I'd say always redirect to pagure.prod, from both forge.prod and forge.stg. That makes testing migration possible (including images) and will be the majority use case.

@adamwill can you please summarize the current status? Is this supposed to be fixed both for forge.prod and forge.stg? And why is that testdays-web exception (above) necessary? I still don't see images in https://forge.fedoraproject.org/quality/fedora-easy-karma/issues/58 (compare with https://pagure.io/fedora-easy-karma/issue/58 ), so this doesn't seem to be working fully yet. As for stg vs prod, ideally the migration script should remember where it migrated the project from (whether pagure.prod or pagure.stg), and the images should link to that location (regardless whether it's on forge.stg or forge.prod). If that's not possible/easy to do, then I'd say always redirect to pagure.prod, from both forge.prod and forge.stg. That makes testing migration possible (including images) and will be the majority use case.

adamwill commented

2026-01-06 16:37:31 +00:00

OK, looking into the f-e-k case. The 404ing URLs have a three-element path, e.g. https://forge.fedoraproject.org/quality/fedora-easy-karma/fedora-easy-karma/issue/raw/files/b598b490bcf140b0645078e66813ac3cc79cc318201c632e007d7f3a432a7086-before.png. I'll go back and look at the redirect logic and see what I got wrong.

I don't think it's easy to do the 'remember where you migrated from' thing - at least, not in terms of 'get the information where it needs to go'. The redirects (proxies, really) are in apache config on the proxy hosts. That's a long way (in various senses) from the migration script in Forgejo. I also would choose to redirect to prod by default, but I think in Matrix chat somebody else had the opposite opinion...

OK, looking into the f-e-k case. The 404ing URLs have a three-element path, e.g. `https://forge.fedoraproject.org/quality/fedora-easy-karma/fedora-easy-karma/issue/raw/files/b598b490bcf140b0645078e66813ac3cc79cc318201c632e007d7f3a432a7086-before.png`. I'll go back and look at the redirect logic and see what I got wrong. I don't think it's easy to do the 'remember where you migrated from' thing - at least, not in terms of 'get the information where it needs to go'. The redirects (proxies, really) are in apache config on the proxy hosts. That's a long way (in various senses) from the migration script in Forgejo. I also would choose to redirect to prod by default, but I think in Matrix chat somebody else had the opposite opinion...

adamwill commented

2026-01-06 16:54:48 +00:00

Ohh. Wait. I think this is really easy: we didn't actually set up the reverse proxying for prod forgejo, it was done only for staging as a test. So right now prod forgejo doesn't proxy attachment requests to pagure at all. I'll fix that.

Ohh. Wait. I think this is really easy: we didn't actually set up the reverse proxying for *prod* forgejo, it was done only for staging as a test. So right now prod forgejo doesn't proxy attachment requests to pagure at all. I'll fix that.

adamwill commented

2026-01-06 18:39:21 +00:00

OK, yeah, looks like that was it. Seems like it's working now.

OK, yeah, looks like that was it. Seems like [it's working now](https://forge.fedoraproject.org/quality/fedora-easy-karma/issues/58#issuecomment-251578).

kparal commented

2026-01-07 09:48:48 +00:00

Author

Great, it seems to be working now, thanks!

Should we keep this open until we resolve the "where should forge.stg redirect to?" question, or close it now?

Great, it seems to be working now, thanks! Should we keep this open until we resolve the "where should forge.stg redirect to?" question, or close it now?

adamwill commented

2026-01-07 16:47:42 +00:00

I'd say let's close it, if you're particularly concerned about that, file a new ticket for it. It's easy enough to generalize the special-casing for whichever repos you want to handle (I can just use slightly fancier templating and a list).

kparal commented

2026-01-08 09:01:01 +00:00

Author

Ok, closing, thanks.

kparal closed this issue

2026-01-08 09:01:01 +00:00

Rows
Columns

Migration doesn't migrate issue attachments properly #321