| *** sreejithp_ has quit IRC | 00:16 | |
| *** michael-beaver has quit IRC | 00:25 | |
| *** sreejithp has joined #airshipit | 01:13 | |
| *** happyhemant has quit IRC | 01:23 | |
| *** sreejithp has quit IRC | 01:39 | |
| *** sreejithp has joined #airshipit | 02:22 | |
| *** calw has joined #airshipit | 02:38 | |
| *** Talion has quit IRC | 02:43 | |
| *** sreejithp_ has joined #airshipit | 02:50 | |
| *** sreejithp has quit IRC | 02:53 | |
| *** licanwei has joined #airshipit | 03:17 | |
| *** altlogbot_0 has quit IRC | 03:44 | |
| *** altlogbot_0 has joined #airshipit | 03:44 | |
| *** altlogbot_0 has quit IRC | 04:38 | |
| *** altlogbot_1 has joined #airshipit | 04:40 | |
| *** sreejithp_ has quit IRC | 04:49 | |
| *** anyrude10_ has quit IRC | 05:55 | |
| *** anyrude10_ has joined #airshipit | 05:56 | |
| anyrude10_ | Hi Team, Can we setup Airship-Seaworthy on our Virtual Environment? If yes, what type of configuration do we need for it? | 05:56 |
|---|---|---|
| *** aojea has joined #airshipit | 06:17 | |
| *** jamesgu_ has quit IRC | 06:29 | |
| *** roman_g has joined #airshipit | 06:49 | |
| *** mbeierl has quit IRC | 08:03 | |
| *** nishantkr has quit IRC | 08:35 | |
| anyrude10_ | <roman_g> I tried using your suggested steps and it passed the previous error, but now giving error in ucp-Rabbitmq. ERROR armada.handlers.wait [-] [chart=ucp-rabbitmq]: Ti med out waiting for statefulsets (namespace=ucp, labels=(release_group=airship-uc p-rabbitmq)). These statefulsets were not ready=['airship-ucp-rabbitmq-rabbitmq'] 2019-05-29 10: | 10:22 |
| anyrude10_ | ERROR armada.handlers.wait [-] [chart=ucp-rabbitmq]: Timed out waiting for statefulsets (namespace=ucp, labels=(release_group=airship-ucp-rabbitmq)). These statefulsets were not ready=['airship-ucp-rabbitmq-rabbitmq'] 2019-05-29 10:20:21.329 1 ERROR armada.handlers.armada [-] Chart deploy [ucp-rabbitmq] failed: armada.exceptions.k8s_exceptions. | 10:23 |
| *** happyhemant has joined #airshipit | 10:56 | |
| anyrude10_ | Airship in Bottle, facing the error http://lists.airshipit.org/pipermail/airship-discuss/2018-November/000176.html | 11:30 |
| *** redrobot has quit IRC | 11:39 | |
| *** howell has joined #airshipit | 12:31 | |
| *** calw has quit IRC | 12:57 | |
| *** mbeierl has joined #airshipit | 13:06 | |
| openstackgerrit | Alexander Hughes proposed airship/spyglass master: [WIP] Spyglass opensuse support https://review.opendev.org/659692 | 13:17 |
| *** aaronsheffield has joined #airshipit | 13:19 | |
| *** kranthikirang has joined #airshipit | 13:20 | |
| openstackgerrit | Alexander Hughes proposed airship/spyglass master: [WIP] Update Spyglass base image to ubuntu xenial https://review.opendev.org/661980 | 13:22 |
| *** kranthikirang has quit IRC | 13:27 | |
| *** michael-beaver has joined #airshipit | 13:28 | |
| mattmceuen | hey anyrude10_: for using airship-seaworthy in a virtual environment, the answer is "yes, with some amount of customization" :) | 13:41 |
| mattmceuen | The site manifests are all configuration, so you'd need to combine the right config for running in VMs with whatever you'd like to leverage from airship-seaworthy | 13:42 |
| *** sreejithp has joined #airshipit | 13:43 | |
| mattmceuen | Have you checked out the airship-in-a-bottle multinode setup? https://opendev.org/airship/in-a-bottle/src/branch/master/tools/multi_nodes_gate | 13:47 |
| mattmceuen | It's scripting + a site definition that the developers often use for standing up a multi-node airship inside of a big VM. | 13:48 |
| mattmceuen | We're in the process of migrating airship-in-a-bottle (single VM demo and multi-VM setup) into the treasuremap project, so that it will be aligned to the same global manifests that airship-seaworthy uses -- at that point it may be easier to do what you need as well. evgenyl has a patchset up for this. | 13:49 |
| mattmceuen | If you can give me any more details of what you're trying to achieve I can try to help! | 13:50 |
| openstackgerrit | Ian Pittwood proposed airship/spyglass master: Separate plugins from Spyglass https://review.opendev.org/653555 | 13:53 |
| mattmceuen | anyrude10_: for your airship-in-a-bottle issue, are you getting it with the latest version of the https://opendev.org/airship/in-a-bottle project? | 13:54 |
| openstackgerrit | Ian Pittwood proposed airship/spyglass master: Schema validation https://review.opendev.org/659172 | 14:01 |
| openstackgerrit | Anthony Bellino proposed airship/shipyard master: Update Airflow logrotate logic https://review.opendev.org/656033 | 14:02 |
| *** jamesgu_ has joined #airshipit | 14:02 | |
| openstackgerrit | Anthony Bellino proposed airship/shipyard master: Add pod affinity to Shipyard and Airflow https://review.opendev.org/659893 | 14:02 |
| openstackgerrit | Merged airship/pegleg master: Fix --save-location error in decrypt command https://review.opendev.org/661827 | 14:12 |
| openstackgerrit | Merged airship/pegleg master: Fix multiple I/O issues in cert generation https://review.opendev.org/643678 | 14:12 |
| openstackgerrit | Alexander Hughes proposed airship/pegleg master: Update Pegleg base image to ubuntu xenial https://review.opendev.org/661088 | 14:23 |
| openstackgerrit | Ian Pittwood proposed airship/spyglass master: Adds Safety dependency vulnerability checks https://review.opendev.org/658854 | 14:46 |
| openstackgerrit | Merged airship/spyglass master: Removes remaining yapf: disable statements https://review.opendev.org/658143 | 14:53 |
| openstackgerrit | Alexander Hughes proposed airship/spyglass master: [WIP] Update Spyglass base image to ubuntu xenial https://review.opendev.org/661980 | 15:08 |
| openstackgerrit | Alexander Hughes proposed airship/spyglass master: Update Spyglass base image to ubuntu xenial https://review.opendev.org/661980 | 15:24 |
| openstackgerrit | Ian Pittwood proposed airship/spyglass-plugin-xls master: Updates YAPF settings to match Spyglass https://review.opendev.org/662020 | 15:29 |
| openstackgerrit | Ian Pittwood proposed airship/spyglass master: Separate plugins from Spyglass https://review.opendev.org/653555 | 15:30 |
| *** altlogbot_1 has quit IRC | 15:35 | |
| *** altlogbot_1 has joined #airshipit | 15:35 | |
| openstackgerrit | Ian Pittwood proposed airship/spyglass master: Manifest undefined data validation https://review.opendev.org/655683 | 15:35 |
| *** irclogbot_2 has quit IRC | 15:35 | |
| *** irclogbot_2 has joined #airshipit | 15:36 | |
| openstackgerrit | Merged airship/spyglass-plugin-xls master: Various fixes for plugin separation https://review.opendev.org/659116 | 15:45 |
| *** arunkant has joined #airshipit | 15:45 | |
| *** arunkant has quit IRC | 15:55 | |
| *** kskels has joined #airshipit | 16:02 | |
| *** arunkant_ has joined #airshipit | 16:02 | |
| *** arunkant_ has quit IRC | 16:03 | |
| *** arunkant has joined #airshipit | 16:03 | |
| *** arunkant_ has joined #airshipit | 16:03 | |
| *** arunkant_ has quit IRC | 16:03 | |
| arunkant | roman_g: Hi, will you be able to review this patch (deckhand opensuse image support) and possibly workflow it https://review.opendev.org/#/c/638301/ | 16:07 |
| openstackgerrit | Ian Pittwood proposed airship/spyglass-plugin-xls master: Updates YAPF settings to match Spyglass https://review.opendev.org/662020 | 16:14 |
| openstackgerrit | Alexander Hughes proposed airship/pegleg master: [WIP] Update Pegleg base image to ubuntu xenial https://review.opendev.org/661088 | 16:17 |
| openstackgerrit | Ian Pittwood proposed airship/spyglass master: Schema validation https://review.opendev.org/659172 | 16:17 |
| openstackgerrit | Merged airship/spyglass master: Separate plugins from Spyglass https://review.opendev.org/653555 | 16:21 |
| openstackgerrit | Alexander Hughes proposed airship/spyglass master: [WIP] Update Spyglass base image to ubuntu xenial https://review.opendev.org/661980 | 16:21 |
| *** happyhemant has quit IRC | 16:24 | |
| *** aojea has quit IRC | 16:35 | |
| openstackgerrit | Ian Pittwood proposed airship/spyglass-plugin-xls master: Adds force option to manifest generation https://review.opendev.org/662034 | 16:38 |
| openstackgerrit | Ian Pittwood proposed airship/spyglass master: Manifest undefined data validation https://review.opendev.org/655683 | 16:39 |
| openstackgerrit | Alexander Hughes proposed airship/pegleg master: [WIP] Update Pegleg base image to ubuntu xenial https://review.opendev.org/661088 | 16:43 |
| openstackgerrit | Ian Pittwood proposed airship/spyglass master: Schema validation https://review.opendev.org/659172 | 16:44 |
| openstackgerrit | Ian Pittwood proposed airship/spyglass master: Adds Safety dependency vulnerability checks https://review.opendev.org/658854 | 16:47 |
| openstackgerrit | Ian Pittwood proposed airship/spyglass-plugin-xls master: Adds Safety dependency vulnerability checks https://review.opendev.org/662039 | 16:52 |
| *** howell has quit IRC | 17:01 | |
| openstackgerrit | Merged airship/treasuremap master: Add tag filter parameter to the updater tool https://review.opendev.org/660429 | 17:03 |
| openstackgerrit | Merged airship/treasuremap master: Fix: tools/airship permissions and directories issues https://review.opendev.org/661600 | 17:06 |
| evgenyl | Can somebody help with reviews for MaaS patch https://review.opendev.org/#/c/653551/ ? I have been struggling with this problem during AIAB testing. | 17:10 |
| arunkant | can anyone help with review for this deckhand patch https://review.opendev.org/#/c/638301/ ? It has been waiting for one more review and workflow for quite sometime. | 17:15 |
| openstackgerrit | Merged airship/maas master: Add explicit rackd image sync https://review.opendev.org/653551 | 17:20 |
| openstackgerrit | Evgeniy L proposed airship/treasuremap master: Update Jenkinsfile's to use Ubuntu-based images https://review.opendev.org/660441 | 17:26 |
| kskels | arunkant: I have given +2 to your PS, so given all gates pass - it should merge shortly | 17:56 |
| openstackgerrit | Michael Beaver proposed airship/shipyard master: Follow up change for deployment-status ConfigMap https://review.opendev.org/661854 | 18:12 |
| *** howell has joined #airshipit | 18:15 | |
| openstackgerrit | Kaspars Skels proposed airship/deckhand master: Adding opensuse image build for deckhand https://review.opendev.org/638301 | 18:16 |
| *** alexanderhughes has joined #airshipit | 18:16 | |
| mattmceuen | evgenyl & kskels: I left some feedback for future todos/questions in the treasuremap aiab patchset, but will +2 once it tests ok for me, since they're existing concerns with aiab as-is -- please still take a look at those items and let me know what you think | 18:24 |
| evgenyl | mattmceuen: Agree with everything you said! I will refactor this using tools/airship and remove these custom creds/tests and reuse other scripts that we already have in treasuremap. I also agree about hardcoded absolute paths, they should go away. Wanted to do it iteratively with small patch-sets which easy to track and review. | 18:31 |
| mattmceuen | perfect - thanks evgenyl! | 18:37 |
| alexanderhughes | question on image scanning - https://quay.io/repository/airshipit/pegleg/manifest/sha256:86d47bf777216eb28c4fc3594e57b0f758fd532b7e88a17ab8e5bd4f42dcd44e?tab=vulnerabilities is the pegleg vulnerability report from quay on the latest master image... it shows more than 600 vulnerabilities, 50 of which are high | 18:38 |
| alexanderhughes | I've got a patch to address much of that, I've got it (locally scanned with clair) down to 135 vulnerabilities, 0 of which are high. what's the 'acceptable' CVE risk we're willing to take on these projects? medium? low? | 18:39 |
| alexanderhughes | which brings me to my next point, I'd like to do a POC against pegleg or spyglass to have zuul run clair to let us know if there are any vulnerabilities above that threshold in the image layers | 18:42 |
| alexanderhughes | any thoughts? if it works it could be useful across all of airship to tighten things up a bit | 18:43 |
| evgenyl | We may want to have all of them to be 0, but practically we should have at least high and medium to be 0. Is there any specific reasons we keep all dependencies pinned with `==`, this makes the maintenance of these packages harder, this is the main reason why other OS packages usually keep their packages unpinned, and use ranges if needed. | 18:44 |
| evgenyl | *other OS projects | 18:44 |
| alexanderhughes | in spyglass ian and I have been discussing the use of 'safety' module to check the python modules for vulnerabilities and alert. but the vulnerabilities I found in image layers are separate from the python modules | 18:45 |
| evgenyl | alexanderhughes: does this mean that `python:3.6` image does not have all these vulnerabilities patched? | 18:48 |
| alexanderhughes | correct. when I scanned the pegleg image created with a python:3.6 base image I had 635 vulnerabilities in clair. when I used the makefile in my patch here https://review.opendev.org/#/c/661088/ and scanned again, the new pegleg image had 135 | 18:49 |
| evgenyl | alexanderhughes: Oh, this is what this patch is for, have not seen your comment. Do you still have the report available to check how many of those are Mediums after switching to ubuntu xenial? | 18:51 |
| alexanderhughes | evgenyl: give me a few moments I'll re-generate the report and do a count on medium | 18:52 |
| alexanderhughes | evgenyl: 60 mediums on xenial | 18:54 |
| openstackgerrit | Merged airship/treasuremap master: [seaworthy gate] Explicitly configure auth parmaters https://review.opendev.org/661363 | 18:58 |
| evgenyl | alexanderhughes: Thank you for the info. I looked at examples of Medium vulns, and it is hard to give a quantitative threshold, the severity depends on our usage of e.g. standard python libraries. I'm wondering if instead of a scanner check we can get a periodic job, that would get the latest ubuntu xenial image with all most recent vulns fixed and push an updated version of the image. | 19:00 |
| evgenyl | alexanderhughes: Updating the base image is what we would probably do anyway if we see some new High vuln detected in our image. | 19:00 |
| alexanderhughes | evgenyl: that's one approach, I think the scanning method would give us a better indication of something 'bad' happening. the vulnerability database is updated daily, and a vulnerability can come from not just the base image but any of the other steps in the dockerfile so it'd be better to scan the final image as a whole in my opinion | 19:05 |
| alexanderhughes | just playing devil's advocate if I introduced a RUN sudo apt-get install -y some_package=vulnerable_version we'd want to catch that rather than just blame the base image | 19:10 |
| openstackgerrit | Ian Pittwood proposed airship/pegleg master: Pin dependency versions https://review.opendev.org/662069 | 19:11 |
| *** weystrom has joined #airshipit | 19:11 | |
| weystrom | hey guys, i wanted to run small airship deployment to check it out, tried both the bottle and airskif way, both deployments get stuck on postgresql-0 pod which complains either about DB 'postgres' not existing or missing ip in pg_hba.conf. Looks like the pod config is wrong, i'm currently looking through the setup to understand it better, but maybe there's already a solution for this? Thanks. | 19:13 |
| openstackgerrit | Ian Pittwood proposed airship/spyglass master: [WIP] Data objects for Spyglass https://review.opendev.org/658917 | 19:16 |
| evgenyl | alexanderhughes: Agree, the scanning should be done on the entire image. I was thinking about the entire flow, when the issue is reported, who is going to analyze it and how are we going to fix the vulnerabilities? Analyzing the report is not trivial, and would require a core to go through the code and spend quite some time on that, we may not have enough resources on that. Fixing any vulnerability that scanner detects | 19:16 |
| evgenyl | requires to pull new base image or pip dependency, if it's not fixed in upstream, I don't think there is too much we can do. If we have a hard rule to unpin all dependencies and would have a periodic job to rebuild those we should be able to cover most of the problems except when somebody pins the package to a specific version, the latter we can enforce on review stage. | 19:16 |
| evgenyl | weystrom: Many people report this problem, and it seems to be related to nfs-provisioner that we use for these demo/testing envs, for production use-cases we have Ceph. There is an ongoing work in OpenStack-Helm which allows to mount host directories directly, we are considering to use this instead of nfs based volumes. Can you provide a bit more details, where do you run Airship in a bottle? | 19:22 |
| weystrom | right now i'm trying out airskif and it's way better than the bottle, at least the code looks fresher, i'm running it on a single ubuntu 16.04 baremetal host | 19:24 |
| weystrom | i can try replacing nfs with hostpath and see if it spins up i guess | 19:24 |
| openstackgerrit | Alexander Hughes proposed airship/pegleg master: [WIP] Update Pegleg base image to ubuntu xenial https://review.opendev.org/661088 | 19:37 |
| alexanderhughes | evgenyl: checked again with a bionic image, down to 65 vulnerabilities, 36 medium, 0 high vs xenial which had 135 vulnerabilities, 60 medium, 0 high | 19:39 |
| alexanderhughes | either way we go whether we repackage or alert on vulnerability, at some point someone has to go look into it. no magic cure here I think | 19:40 |
| openstackgerrit | Merged airship/treasuremap master: Update Jenkinsfile's to use Ubuntu-based images https://review.opendev.org/660441 | 19:44 |
| openstackgerrit | Sreejith Punnapuzha proposed airship/in-a-bottle master: make bridge-nf configurations persistent https://review.opendev.org/662080 | 19:49 |
| *** licanwei has quit IRC | 19:57 | |
| *** howell has quit IRC | 19:57 | |
| openstackgerrit | Sreejith Punnapuzha proposed airship/in-a-bottle master: make bridge-nf configurations persistent https://review.opendev.org/662080 | 19:58 |
| openstackgerrit | Sreejith Punnapuzha proposed airship/in-a-bottle master: make bridge-nf configurations persistent https://review.opendev.org/662080 | 20:03 |
| openstackgerrit | Michael Beaver proposed airship/shipyard master: Add unit tests and fix comments/samples https://review.opendev.org/661854 | 20:03 |
| openstackgerrit | Alexander Hughes proposed airship/pegleg master: [WIP] Update Pegleg base image to ubuntu bionic https://review.opendev.org/661088 | 20:06 |
| openstackgerrit | Alexander Hughes proposed airship/pegleg master: [WIP] Update Pegleg base image to ubuntu bionic https://review.opendev.org/661088 | 20:12 |
| openstackgerrit | Evgeniy L proposed airship/treasuremap master: Uplift all components except Armada https://review.opendev.org/662085 | 20:15 |
| openstackgerrit | Alexander Hughes proposed airship/pegleg master: [WIP] Update Pegleg base image to ubuntu bionic https://review.opendev.org/661088 | 20:16 |
| *** weystrom has quit IRC | 20:17 | |
| openstackgerrit | Sreejith Punnapuzha proposed airship/in-a-bottle master: make bridge-nf configurations persistent https://review.opendev.org/662080 | 20:35 |
| openstackgerrit | Sreejith Punnapuzha proposed airship/in-a-bottle master: make bridge-nf configurations persistent https://review.opendev.org/662080 | 20:36 |
| *** weystrom has joined #airshipit | 20:43 | |
| openstackgerrit | Evgeniy L proposed airship/treasuremap master: Uplift MaaS to fix resource-import hanging https://review.opendev.org/662090 | 20:50 |
| openstackgerrit | Alexander Hughes proposed airship/pegleg master: [WIP] Update Pegleg base image to ubuntu bionic https://review.opendev.org/661088 | 20:56 |
| *** alexanderhughes has quit IRC | 21:02 | |
| openstackgerrit | Ian Pittwood proposed airship/spyglass master: [WIP] Implements data object models https://review.opendev.org/662092 | 21:04 |
| openstackgerrit | Ian Pittwood proposed airship/spyglass-plugin-xls master: [WIP] Implements data objects in excel extractor https://review.opendev.org/662093 | 21:05 |
| *** mbeierl has quit IRC | 21:22 | |
| openstackgerrit | Ian Pittwood proposed airship/spyglass master: Data objects for Spyglass https://review.opendev.org/658917 | 21:25 |
| *** sreejithp has quit IRC | 21:28 | |
| openstackgerrit | Merged airship/in-a-bottle master: make bridge-nf configurations persistent https://review.opendev.org/662080 | 21:31 |
| *** mbeierl has joined #airshipit | 21:34 | |
| openstackgerrit | Arijit Bose proposed airship/in-a-bottle master: [site update] update software https://review.opendev.org/655197 | 21:35 |
| *** mbeierl has quit IRC | 21:39 | |
| *** mbeierl has joined #airshipit | 21:53 | |
| *** mbeierl has quit IRC | 21:57 | |
| openstackgerrit | Anthony Bellino proposed airship/promenade master: Add pod anti-affinity to apiserver-webhook https://review.opendev.org/662101 | 22:12 |
| *** mbeierl has joined #airshipit | 22:13 | |
| *** ianychoi has quit IRC | 22:32 | |
| *** ianychoi has joined #airshipit | 22:33 | |
| *** mbeierl has quit IRC | 22:35 | |
| *** aaronsheffield has quit IRC | 22:58 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!