Tuesday, 2020-06-09

*** hamalq has quit IRC00:55
*** hamalq has joined #opendev-meeting03:29
*** hamalq_ has joined #opendev-meeting03:31
*** hamalq has quit IRC03:35
*** hamalq_ has quit IRC03:53
*** hamalq has joined #opendev-meeting05:42
*** hamalq has quit IRC05:46
*** hamalq has joined #opendev-meeting06:02
*** hamalq has quit IRC06:07
*** hamalq has joined #opendev-meeting06:15
*** hamalq has quit IRC06:20
*** hamalq has joined #opendev-meeting06:49
*** hamalq has quit IRC06:53
*** hamalq has joined #opendev-meeting07:05
*** hamalq has quit IRC07:09
*** hamalq has joined #opendev-meeting15:46
*** hamalq has quit IRC16:31
*** hamalq has joined #opendev-meeting16:33
*** hamalq_ has joined #opendev-meeting16:35
*** hamalq has quit IRC16:38
clarkbanyone else here for the meeting? we'll get started shortly19:00
fungisounds like a fun time19:00
ianwo/19:00
fungisure, why not19:00
clarkb#startmeeting infra19:01
openstackMeeting started Tue Jun  9 19:01:04 2020 UTC and is due to finish in 60 minutes.  The chair is clarkb. Information about MeetBot at http://wiki.debian.org/MeetBot.19:01
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.19:01
*** openstack changes topic to " (Meeting topic: infra)"19:01
openstackThe meeting name has been set to 'infra'19:01
clarkb#link http://lists.opendev.org/pipermail/service-discuss/2020-June/000034.html Our Agenda19:01
clarkb#topic Announcements19:01
*** openstack changes topic to "Announcements (Meeting topic: infra)"19:01
clarkbNo announcements were listed19:01
mordredo/19:02
clarkb#topic Actions from last meeting19:02
*** openstack changes topic to "Actions from last meeting (Meeting topic: infra)"19:02
clarkb#link http://eavesdrop.openstack.org/meetings/infra/2020/infra.2020-06-02-19.03.txt minutes from last meeting19:03
clarkbLast week's meeting was informal and we ended up debugging the meetpad/jitsimeet/etherpad/xmpp case sensitivity thing19:03
clarkbNo explicit actions came out of that that we recorded. But I think it gave us a better understanding of what we can do to make that case handling difference less confusing19:04
corvuso/19:04
fungiseems like we have a plan for it though19:04
fungior at least some consensus of things we can do19:04
clarkbya I think what we've found is that case confusion is a thing and we should probably switch to enforcing lower case in etherpad to avoid that anyway19:04
clarkbthen we've got to deal with renaming/merging pads as necessary to handle that19:05
clarkb#topic Specs approval19:06
*** openstack changes topic to "Specs approval (Meeting topic: infra)"19:06
clarkbThis spec isn't ready for approval yet, but I wanted to call it out19:06
clarkb#link https://review.opendev.org/#/c/731838/ Central Authentication Service spec19:06
fungiyeah, it needs some heavy editing19:06
clarkbfungi: I think we half expect a new PS based on conversation we had at the PTG?19:06
fungigood feedback in there from neal too19:06
fungiyes, you can half expect it, but i fully intend to provide it ;_19:07
fungijust might not come this week19:07
fungiwe'll see19:07
clarkbthanks19:08
clarkb#topic Priority Efforts19:08
*** openstack changes topic to "Priority Efforts (Meeting topic: infra)"19:08
clarkb#topic Update Config Management19:08
*** openstack changes topic to "Update Config Management (Meeting topic: infra)"19:08
clarkbThe main topic I wanted to bring up here was the reorganization of our ansible inventory, groups, *vars, and base playbook19:08
clarkbWhat we've realized is that the vast majority of the base playbook is not service specific. It configures admin users and exim for email and ntp and so on.19:09
clarkbBut the playbook runs against all hosts which means if any one of them fails then playbook fails. This can then cause problems if you wanted letsencrypt to run on a specific host or zuul to be updated and those hosts were fine19:10
clarkbin order to make that more reliable we've split the iptablse role out of base as it is service specific and put that into our service roles. Then we can decouple running base as a requirement before every service update19:10
clarkbmordred: ^ is that a reasonable summary of the change? Anything else to add to that?19:10
mordredI think that's great19:10
clarkbfrom the operator side of things be aware files haev moved around and some config has been updated. You may need to rebase outstanding changes in system-config19:11
clarkbAny other configuration management items to bring up?19:12
mordredI think that's about it - we may have discovered we're actually ok to run zuul-executor in containers19:13
mordredcorvus is goign to verify - but I think I found that to be true now on friday19:13
mordredso I've got some patches up to do that19:13
clarkbmordred: the thought there is we have to give the container some additional permissions?19:13
mordredclarkb: turns out we don't seem to need anything past privileged19:14
corvuslocally i think i saw it working in bwrap but behaving weirdly inside docker itself.  but it sounds like mordred saw something different when trying on ze0119:14
mordredyeah19:14
mordredso it's possible there are differences wrt kernel versio or docker version from the original test - or who knows19:14
mordredbut i did bwrap inside of docker and it SEEMED to do the right things19:14
corvusbased on what i saw, i think we should be "okay" to do it without the seccomp stuff, but i think it might be more comfortable with seccomp19:15
corvusmordred: did you test out afs inside docker but not in bwrap?19:15
mordredcorvus: I think so?19:15
corvusk19:15
mordredcorvus: but - let's double-check :)19:15
corvusso if what mordred saw holds, then i agree, we should be gtg without anything else19:15
corvusi'll do this after the meeting19:16
corvus^ = confirm mordred's tests19:16
mordredif that works - we'll just be down to nodepool builder on arm running non-containerized - and we need to swing back around to that issue anyway19:16
clarkbthe arm nodepool builder is hung up on the odd stream crossing we saw with multi arch docker builds right?19:16
mordredyeah - which we need to reproduce and figure out what's going on19:17
ianwi can probably make some tiem for at least reproduction19:17
clarkb#topic OpenDev19:19
*** openstack changes topic to "OpenDev (Meeting topic: infra)"19:19
clarkb#link http://lists.opendev.org/pipermail/service-discuss/2020-May/000026.html Advisory Board thread.19:19
clarkbThe advisory board "recruiting" is still in progress. At the PTG we discussed that a gentle reminder to those who haven't responded is a good idea and then we'll move forward in a few weeks with who we get.19:19
clarkbThe thought is that by having some involvement we can generate interest and an example of what the system is there for19:20
clarkbI plan to send out those gentle reminders today19:20
fungilike a snowball rolling downhill19:20
corvusin june?19:21
clarkbOn the service disde of things Gitea 1.12.0 has had its second rc tag and I've got a change up to test a deployment of that. Looks like they've already added some additional bug fixes on top of that. We should hold off until the actual release I expect19:21
clarkbcorvus: in some parts of the world19:21
fungicorvus: feel like taking a trip to chile? ;)19:21
corvusfungi: yes19:21
clarkbthe good news is the templates have been very stable between rc1 and rc2 so any final release should be really close to ready and its just a matter of updating the tag I hope19:21
fungii've also got a change up for upgradnig the version of etherpad. supposedly a major cause of the "broken" pads is addressed with it19:22
clarkbI'm excited for this update as it adds caching of git commit info which should drastically speed up our rendering of repos with large histories like nova19:22
funginow that the ptg is done, this may be a good time for etherpad upgrades again19:22
clarkbfungi: ++ I think we can land and deploy that as soon as we are happy with the change and its testing19:23
fungijust double-checked and 1.8.4 is still the latest release19:23
corvuswhat does "broken" mean?19:24
clarkbcorvus: i think like the clarkb-test etherpad on the old etherpad-dev server19:25
clarkbcorvus: etherpads that eventually stop serving correctly19:25
fungiyeah, the ones which hang with "loading..."19:25
corvusack19:26
clarkbAnything else on OpenDev or shoudl we moev on?19:26
clarkb(I can't type today)19:26
fungii mentioned the change some weeks back in #opendev, but when we hit one of those there are telltale errors in the log which are referenced by the fix19:26
fungiso fingers crossed anyway19:26
clarkb#topic General Topics19:27
*** openstack changes topic to "General Topics (Meeting topic: infra)"19:27
clarkb#topic Project Renames19:28
*** openstack changes topic to "Project Renames (Meeting topic: infra)"19:28
clarkbI want to start with this one to make sure we get a chance to talk about it19:28
clarkbwe had pencilled in June 12 which is this Friday. Unfortunately I've discovered I have a kids doctor visit at ~1800UTC that day19:28
clarkbI'm happy to go ahead with it and help as I can (we can do it early friday or later friday and I'll be around) or move it to another day if we don't have enough people around19:29
clarkbalso we've added a few more renames since we last talked about this, the openstack foundation interop repos are getting moved now I guess19:29
fungialso it sounds like the openstack tc may want to rename a few more repos out of the openstack namespace into the osf namespace (relating to osf board of directors committees/working groups)19:29
fungier, yeah what you just said19:30
clarkbfungi: yup gmann added that to the list of things about half na hour agao19:30
fungiperfect19:30
clarkbdo we have any volunteers for Friday other than myself?19:30
fungii'll be around19:30
fungihappy to do renames19:31
clarkbfungi: cool do you have a perference on time and I'll do my best to be around to help ?19:31
fungilet's say not 18:00 utc in that case...19:31
clarkbI can start as early as 1400UTC, then have cut off around 1730UTC, and expect to be back around 2030 UTC19:31
clarkb(it'll likely be shorter than that but you never know with those visits)19:31
corvusi should be around but would like not to drive19:32
fungimy schedule is wide open friday. are there other volunteers with time constraints? i could certainly accommodate either of those windows19:32
fungi21:00 would work for me if that helps others19:32
clarkbThat works for me and should give me plenty of padding on my schedule19:33
clarkbwhy don't we go with that then. Thank you fungi !19:34
fungilet's do that then, we can always do some prep earlier in the day in anticipation too19:34
clarkb++ thanks19:34
clarkbBetween now and then we'll want to construct the yaml input to the renaming process and commit it to opendev/project-config once the renames happen19:34
fungiyep19:34
clarkbI can help coordinate with you to make sure we are ready by Friday19:35
fungisounds good, thanks19:35
clarkb#topic Pip and Virtualenv Next Steps19:35
*** openstack changes topic to "Pip and Virtualenv Next Steps (Meeting topic: infra)"19:35
clarkbianw: ^ Any update on this subject?19:35
clarkbI believe I saw at least one project (octavia) testing that the chagnes don't break them which was reassuring19:35
ianwyeah, i didn't get any complaints, and some people saying things worked19:36
ianw#link https://review.opendev.org/73442819:36
ianwthat's the review to drop it, so ... i guess we just do it?  i'm not sure what else to do19:36
fungiwfm19:37
clarkbwe've communicated it, at least some people have done testing and reinforced the expectation that this will be low impact, I think the next step is to land the change19:37
AJaeger++19:38
fungithis is also early enough in openstack's release cycle that any resulting disruption can be addressed at a comfortable pace19:38
ianwthe one to watch for is if people say virtualenv is missing19:39
ianwtheir best bet is to add "ensure-virtualenv" role19:39
AJaegerianw: please send an email once we merge the change19:39
clarkba followup to the announcement thread would be good indicated we've landed the change once that happens19:39
clarkbAJaeger: ++19:39
ianwwill do19:39
clarkbanything else on this topic?19:40
ianwno, thanks19:40
clarkb#topic DNS Cleanup19:41
*** openstack changes topic to "DNS Cleanup (Meeting topic: infra)"19:41
clarkbianw: did we end up publishing the contents for comment yet?19:41
ianwit looks like the backup went into merge failure19:41
ianw#link https://review.opendev.org/#/c/728739/19:41
ianwbut it would be good to merge that19:42
ianwthe one to look through is19:42
ianw#link https://etherpad.opendev.org/p/rax-dns-openstack-org19:42
ianwperhaps to make it more manageable, if people want to delete from that things that should definitely stay, it will reduce it19:43
clarkbthanks and I guess we can just mark that up with comments around what can be removed?19:43
clarkbah ya I see the note about removing things that should definitely stay, thanks19:43
clarkbI'll try to take a look at that today19:44
clarkb#topic PTG Recap19:45
*** openstack changes topic to "PTG Recap (Meeting topic: infra)"19:45
clarkb#link http://lists.opendev.org/pipermail/service-discuss/2020-June/000035.html Recap Email19:45
clarkbI wrote a long email trying to cover the important bits of the PTG for us19:45
clarkbOverall I think it went well.19:45
clarkbFrom an operations side meetpad seemed to work with most of its scaling issues being client side19:46
clarkbthere were some annoying things like the etherpad focus going away when people talked sometimes and needign to reconnect because all sound went away19:46
clarkbbut overall it held up and the groups using it seemed happy (though groups with more than 20 had less success)19:46
clarkbAs participants we managed to get through our agenda. I think the total of 6 hours was about correct for us19:47
clarkb#link https://etherpad.opendev.org/p/June2020-PTG-Feedback Provide your PTG event feedback19:47
fungii was pleased with the way it worked out19:47
clarkbthe PTG organizers are soliciting feedback on the etherpad I just linked. Feel free to add your thoughts there19:47
corvusi have heard from folks they'd like to continue (trying) to use meetpad in the future; i think we can/should wind down pbx in favor of meetpad19:47
clarkbcorvus: ++19:48
fungii concur19:48
clarkbOne of the things we talked about was getting off of pytho3n for our little tools and utilities as well as services.19:48
fungiwe lose the dial-in trunk though19:48
clarkbI've started to try and put together an audit of the todo list around that19:48
clarkb#link https://etherpad.opendev.org/p/opendev-tools-still-running-python2 Python2 Audit19:48
clarkbfungi: jitsi meet supports that and I think we can even use the same number19:48
clarkbfungi: but that is new config we need to sort out19:48
clarkb(I don't know how it maps phone calls to meeting rooms as an example)19:49
clarkbOne thing that was missing from the virtual event was unwind/decompression time19:49
fungiyeah, i figured it was something we could add19:49
clarkbat the in person events there are game nights and dinner with people19:50
clarkbI was wondering if anyone was interested in trying some virtual form of that19:50
clarkbmore likely to be game night than dinner :)19:50
fungialso beer you don't have to pour yourself ;)19:50
fungii guess i can get over pouring my own19:50
clarkbI've discovered hedgewars does remote multiplayer and maybe we can play a silly game of that with comms over meetpad19:50
clarkbits an open source clone of worms armageddon19:51
clarkbI'm open to other ideas or being told that there isn't sufficient interest19:51
clarkbAnything else to call out from the PTG?19:52
clarkb#topic Trusty Updates19:53
*** openstack changes topic to "Trusty Updates (Meeting topic: infra)"19:53
clarkbfungi: want to quickly recap the comodo cert situation?19:53
fungisure19:53
fungias of june 1, the old comodo/addtrust certificate authority ca cert expired19:54
fungisome of our sites used and still use certs which were validated through a chain including that as an intermediate19:54
fungione in particular is openstackid.org19:55
fungiwe discovered that on older python deployments, like that found on ubuntu trusty, the cert validation behavior of the requests module is to report a failure/exception if there is an expired cert in the chain bundle, even if another cert in the bundle is sufficient to validate the server's cert19:56
fungithis was causing people to be unable to log into refstack.openstack.org19:56
fungiit was ultimately "fixed" by updating the intermediate chain bundle on the openstackid.org server to no longer include the expired (and thus useless) addtrust cert19:57
fungileaving only the newer sectigo cert19:58
clarkband that is something we should apply to our other sectigo certs?19:58
fungithis matches the current chain bundle recommended by sectigo (the ca of record for our non-le certs obtained from namecheap)19:58
fungiit likely depends on what's out there accessing those sites19:59
fungiwe can safely remove the old addtrust ca from all our intermediate bundles, but a lot of the copies i found are stale from before we started moving stuff to le19:59
clarkbya so two layers of cleanup there I expect20:00
fungiso we could consider generally cleaning up old data in our hiera20:00
clarkb++20:00
clarkband that takes us to the end of our alotted time20:00
clarkbthank you everyone20:00
clarkbFeel free to continue conversation in #opendev20:00
fungiif someone knows a programmatic way to identify those, that would be great20:00
clarkbbut I'll end the meeting now to ensure people can eat breakfast/lunch or go to bed :)20:00
clarkb#endmeeting20:00
fungithanks clarkb!20:00
*** openstack changes topic to "Incident management and meetings for the OpenDev sysadmins; normal discussions are in #opendev"20:00
openstackMeeting ended Tue Jun  9 20:00:53 2020 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)20:00
openstackMinutes:        http://eavesdrop.openstack.org/meetings/infra/2020/infra.2020-06-09-19.01.html20:00
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/infra/2020/infra.2020-06-09-19.01.txt20:00
openstackLog:            http://eavesdrop.openstack.org/meetings/infra/2020/infra.2020-06-09-19.01.log.html20:00

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!