infra/ansible

Fork 44

proxies / src.fp.o: drop haproxy from src #3211

Merged

kevin merged 1 commit from kevin/ansible:no-haproxy-for-src into main

2026-03-12 20:36:51 +00:00

kevin commented

2026-03-12 00:23:14 +00:00

Owner

Right now requests go:

client -> httpd on proxy -> anubis -> httpd on proxy -> varnish -> haproxy -> pkgs01

but haproxy is pretty useless in this case.
There is only one backend (pkgs01) so no load balancing, and doing a
liveness check is also pointless because if its down the request will
fail anyhow.

It might be tha haproxy ovehead is causing varnish to return retries
sometimes ( infra/tickets#13123 )

So, this drops it out for this.

Signed-off-by: Kevin Fenzi kevin@scrye.com

Right now requests go: client -> httpd on proxy -> anubis -> httpd on proxy -> varnish -> haproxy -> pkgs01 but haproxy is pretty useless in this case. There is only one backend (pkgs01) so no load balancing, and doing a liveness check is also pointless because if its down the request will fail anyhow. It might be tha haproxy ovehead is causing varnish to return retries sometimes ( https://forge.fedoraproject.org/infra/tickets/issues/13123 ) So, this drops it out for this. Signed-off-by: Kevin Fenzi <kevin@scrye.com>

kevin added the

ai-review-please

label

2026-03-12 00:23:14 +00:00

kevin added 1 commit

2026-03-12 00:23:15 +00:00

proxies / src.fp.o: drop haproxy from src

Linter / yamllint (pull_request) Successful in 27s

Details

Linter / ansible-lint (pull_request) Successful in 44s

Details

AI Code Review / ai-review (pull_request_target) Successful in 27s

Details

52b8097093

Right now requests go:

client -> httpd on proxy -> anubis -> httpd on proxy -> varnish -> haproxy -> pkgs01

but haproxy is pretty useless in this case.
There is only one backend (pkgs01) so no load balancing, and doing a
liveness check is also pointless because if its down the request will
fail anyhow.

It might be tha haproxy ovehead is causing varnish to return retries
sometimes ( infra/tickets#13123 )

So, this drops it out for this.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>

forgejo-actions commented

2026-03-12 00:25:08 +00:00

AI Code Review

📋 MR Summary

Removes HAProxy from the request pipeline for src.fedoraproject.org to simplify the architecture.

Key Changes:
- Removed the src-frontend and src-backend blocks from HAProxy configuration.
- Updated Varnish VCL to route traffic directly to the pkgs01 backend instead of the local HAProxy instance.
Impact: roles/haproxy, roles/varnish
Risk Level: 🟢 Low - The changes remove an unnecessary proxy hop to a single-node backend, which reduces complexity and overhead with minimal risk.

Detailed Code Review

The removal of the HAProxy layer for this specific service aligns well with the stated goal of reducing unnecessary overhead and retries, especially given there is only a single backend server (pkgs01). By pointing Varnish directly to the backend node, you simplify the request chain.

The Varnish configuration update correctly references the backend and utilizes http for the port designation. Varnish compiler (VCC) will resolve http using /etc/services to port 80, which matches the removed HAProxy configuration (pkgs01:80). Note that since the HAProxy health check (option httpchk) is being removed, Varnish will assume the backend is always healthy unless a .probe is explicitly defined in the VCL. Given the commit message states liveness checks are pointless here since the request would fail anyway, this behavior is expected.

📂 File Reviews

📄 `roles/varnish/templates/proxies.vcl.j2` - Updates Varnish backend configuration to point directly to pkgs01 instead of local HAProxy.

Minor [Suggestion]: Using string 'http' for .port is perfectly valid VCL as Varnish resolves it via /etc/services, but specifying the numeric port '80' is often preferred for explicitness and to avoid any reliance on local system service definitions.
- Suggestion: Consider changing .port = "http"; to .port = "80"; for strict explicitness.

backend src {
    .host = "pkgs01";
    .port = "80";
}

✅ Summary

Overall Assessment: No critical issues identified. The architecture simplification is implemented cleanly.
Minor Suggestions:
- Use numeric port '80' instead of 'http' in the Varnish backend configuration for explicitness.

🤖 AI Code Review | Generated with ai-code-review | Model: gemini-3.1-pro-preview

⚠️ AI-generated suggestions may be incorrect. Verify before applying. Not a replacement for human review.

## AI Code Review ### 📋 MR Summary Removes HAProxy from the request pipeline for `src.fedoraproject.org` to simplify the architecture. - **Key Changes:** - Removed the `src-frontend` and `src-backend` blocks from HAProxy configuration. - Updated Varnish VCL to route traffic directly to the `pkgs01` backend instead of the local HAProxy instance. - **Impact:** roles/haproxy, roles/varnish - **Risk Level:** 🟢 Low - The changes remove an unnecessary proxy hop to a single-node backend, which reduces complexity and overhead with minimal risk. ### Detailed Code Review The removal of the HAProxy layer for this specific service aligns well with the stated goal of reducing unnecessary overhead and retries, especially given there is only a single backend server (`pkgs01`). By pointing Varnish directly to the backend node, you simplify the request chain. The Varnish configuration update correctly references the backend and utilizes `http` for the port designation. Varnish compiler (VCC) will resolve `http` using `/etc/services` to port 80, which matches the removed HAProxy configuration (`pkgs01:80`). Note that since the HAProxy health check (`option httpchk`) is being removed, Varnish will assume the backend is always healthy unless a `.probe` is explicitly defined in the VCL. Given the commit message states liveness checks are pointless here since the request would fail anyway, this behavior is expected. #### 📂 File Reviews <details> <summary><strong>📄 `roles/varnish/templates/proxies.vcl.j2`</strong> - Updates Varnish backend configuration to point directly to pkgs01 instead of local HAProxy.</summary> - **Minor** [Suggestion]: Using string 'http' for `.port` is perfectly valid VCL as Varnish resolves it via `/etc/services`, but specifying the numeric port '80' is often preferred for explicitness and to avoid any reliance on local system service definitions. - *Suggestion:* Consider changing `.port = "http";` to `.port = "80";` for strict explicitness. ```` backend src { .host = "pkgs01"; .port = "80"; } ```` </details> ### ✅ Summary - **Overall Assessment:** No critical issues identified. The architecture simplification is implemented cleanly. - **Minor Suggestions:** - Use numeric port '80' instead of 'http' in the Varnish backend configuration for explicitness. --- 🤖 **AI Code Review** | Generated with [ai-code-review](https://gitlab.com/redhat/edge/ci-cd/ai-code-review) | **Model:** `gemini-3.1-pro-preview` ⚠️ *AI-generated suggestions may be incorrect. Verify before applying. Not a replacement for human review.*

kevin referenced this pull request from infra/tickets

2026-03-12 00:36:19 +00:00

Packit 503 responses from Pagure API #13123

kevin commented

2026-03-12 20:36:44 +00:00

Author

Owner

Lets give it a try. Will deploy to stg and if all looks ok there do prod.

kevin merged commit 7413d9c84f into main

2026-03-12 20:36:51 +00:00