Tuesday, 2021-05-04

*** hamalq_ has quit IRC01:00
*** sboyron has joined #opendev-meeting05:46
*** hashar has joined #opendev-meeting06:49
*** hamalq has joined #opendev-meeting16:27
*** hamalq has quit IRC16:35
*** hamalq has joined #opendev-meeting16:35
*** hashar has quit IRC16:55
*** sboyron has quit IRC18:08
*** hashar has joined #opendev-meeting18:41
*** diablo_rojo has joined #opendev-meeting19:00
fungimeeting time?19:00
clarkbhello it is19:00
clarkbwe'll get started shortly19:00
clarkbI need a minute to get some notes together19:00
ianwo/19:01
clarkb#startmeeting infra19:01
openstackMeeting started Tue May  4 19:01:11 2021 UTC and is due to finish in 60 minutes.  The chair is clarkb. Information about MeetBot at http://wiki.debian.org/MeetBot.19:01
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.19:01
*** openstack changes topic to " (Meeting topic: infra)"19:01
openstackThe meeting name has been set to 'infra'19:01
clarkb#link http://lists.opendev.org/pipermail/service-discuss/2021-May/000228.html Our Agenda19:01
clarkb#topic Announcements19:01
*** openstack changes topic to "Announcements (Meeting topic: infra)"19:01
clarkbI won't be able to make the meeting next week as it conflicts with an appointment I can't easiyl move19:01
clarkbwe'll either need a volunteer meeting chair or cancel it19:02
clarkb(I'm happy with canceling it as I suspect we may only have 2 or 3 participants)19:02
diablo_rojoo/19:02
fungii'm fine skipping next week19:02
clarkbwfm19:03
clarkb#topic Actions from last meeting19:04
*** openstack changes topic to "Actions from last meeting (Meeting topic: infra)"19:04
clarkb#link http://eavesdrop.openstack.org/meetings/infra/2021/infra.2021-04-27-19.04.txt minutes from last meeting19:04
clarkbfungi has/had an action to push changes to retire survey and ianw has a similar action for pbx19:04
clarkbhave those changes made it to gerrit yet?19:04
ianwnot yet19:04
clarkb#action ianw Push changes to retire pbx.openstack.org19:04
clarkbfungi: ^ any news on that from you?19:05
fungioh, yeah i have that up for review, just a sec19:05
fungi#link https://review.opendev.org/789060 Deprovision Limesurvey config management and docs19:05
fungishould be complete, reviews welcome19:05
clarkbthanks!19:05
fungionce it merges i can take the server offline19:06
clarkb#topic Priority Efforts19:06
*** openstack changes topic to "Priority Efforts (Meeting topic: infra)"19:06
clarkb#topic OpenDev19:06
*** openstack changes topic to "OpenDev (Meeting topic: infra)"19:06
fungii still find it amusing that the opendev infra meeting has an opendev topic ;)19:06
clarkbheh19:06
clarkbfungi: you have a couple of opendev related items to bring up19:07
fungioh, yeah probably. dealer's choice19:07
clarkb#link https://review.opendev.org/789098 Update our base nodeset to focal19:07
fungiright, that one19:07
fungiso mainly we need to announce a date19:07
fungiwhat seems like a reasonable warning timeframe? one week? two? a month?19:07
clarkbI was thinking 2-4 weeks19:07
clarkbits fairly easy to test if it works as a user. YOu push up changes to swap early and if it breaks you fix it19:08
fungithe openstack-discuss ml has a related thread in progress about devstack's master branch dropping bionic support19:08
fungialso our base-test job is already updated to ubuntu-focal, so you can try reparenting a job in a dnm change19:08
fungiokay, so send announcement today, switch on may 18? 25? june 1?19:09
fungijune 8 would be 4 weeks19:09
ianwi think earlier is better IMO19:09
fungii'm good with may 1819:09
ianw++19:10
clarkbno objects to that from me19:10
clarkb*no objections19:10
ianwpull the bandaid off :)19:10
fungithis ubuntu version is already over a year old19:10
fungi#agreed announce base job nodeset change to ubuntu-focal for 2021-05-1819:10
fungii'll send that asap after the meeting ends19:10
clarkbthanks19:11
clarkb#link https://review.opendev.org/789383 Updating gerrit config docs and planning acl simplification19:11
clarkbThis is the other one. Basically it documents a simplification of the global gerrit acls that we'd liek to make now that openstack has a meta proejct for openstack specific acls19:11
clarkbI think at this point we should probably go for it and then do the acl update too19:12
fungiyeah, the summary is that we've moved the openstack release management special cases into a contentless repo inherited by everything in the openstack/ namespace19:12
fungiso we should be able to remove their permission to do stuff to projects outside openstack/ with no impact to them now19:13
fungii also rolled some config doc cleanup in with that change19:13
fungibut basically happy to remove those permissions once the documentation change reflecting it merges19:14
clarkbsounds good19:14
clarkbHas anyone had time to look over my large list of probably safe gerrit account cleanups?19:14
fungii would like to say i have, but that's probably a lie?19:15
clarkbheh ok :)19:15
fungii honestly don't remember now, so i should look again anyway19:16
clarkbwell if ya'll manage to find time to look at those I would appreciate it so I can tackle the next group19:16
clarkb#topic Update Config Management19:16
*** openstack changes topic to "Update Config Management (Meeting topic: infra)"19:16
clarkbI've been dabbling with the ansible recently.19:16
fungia time-honored tradition19:17
clarkbHave a change up to enable ubuntu ESM if we don't want to do that by hand. In particular we do need to update the unattended upgrades list if we want to have those updates apply automatically and my change reflects that19:17
clarkbI also have a change up to start ansibling mailman stuff but it is nowhere near complete19:17
fungimaybe we should talk about esm a bit first?19:17
clarkbsure19:17
clarkbThe way I have written that change it would only apply if we set some host_vars flags and secrets on a per host basis19:18
clarkbIt should be safe to land as is, then we can "enroll" servers simply by adding that host var info19:18
fungiso, what is ubuntu esm, and how do we have access?19:18
clarkbah right19:18
clarkbubuntu esm is ubuntu's extended support effort for LTS releases19:18
fungiso, like, after they reach eol19:19
clarkbLTSs typically get 5 years of support, but if you need more you can enroll in ubuntu advantage and make use of the "esm-infra" packaging19:19
fungiand that's normally a paid thing, right?19:20
clarkbThis is available for free to various contributors and such. ttx and I reached out to them to see if opendev could have access too and they said yes19:20
fungiawesome. thanks canonical! very generous, and may help us limp along on some of our xenial servers a bit longer while we're behind on upgrades19:20
clarkbbut ya typically I expect most users would pay for this. It also includes other things like fips support and landscape and lvie kernel patching. We don't want any of that just esm access19:21
clarkbThe way I've written the change it tries to be very careful and only enable esm19:21
clarkbby default you get live kernel patching too if you enroll a server19:21
ianwit looks safe enough.  it's one global token good for all servers?19:21
clarkbianw: yes seems to be a token associated with the account and it doesn't seem to change. THough I've only enrolled a single host so far to test things out19:22
clarkbanything else on esm? do we want to talk mailman ansible?19:22
ianwesm looks fine, i guess we can't really test it, so just a matter of babysitting19:23
clarkbianw: ya19:23
fungii'm good to move on19:23
ianwi presume the follow-on is to add the enable flag to hosts gradually19:23
clarkbianw: yes and we would be doing that in private host vars I think19:24
ianwyeah, good idea19:24
clarkbfor mailman ansible I've started what is largely a 1:1 mapping of the existing puppet. It is nowhere near complete and there are a lot of moving pieces and I'm a mailman noob so review is welcome :)19:25
clarkbI think we should be able to get it to a point where a sytem-config-run-mailman job is able to validate some stuff though19:25
*** melwitt is now known as jgwentworth19:25
*** jgwentworth is now known as melwitt19:25
clarkbit would just create a bunch of empty lists which the old puppet never really managed beyond either19:26
ianwthis is with mailman 2 though, right?19:26
clarkbcorrect19:26
clarkbit doesn't currently try to convert mailman or do docker or anything like that yet. Just a 1:1 mapping19:26
clarkbthinking that maybe we can test upgrades etc if we do it this way19:27
fungiyeah, this also gets us a nice transitional state to mm3 i think19:28
ianwyeah i'm afraid i'll have to seriously bootstrap my mailman config knowledge :)19:28
clarkbif you think this is a terrible idea or want to see a different approach let me know (though I'm nto sure I've got enough of the background and content mapped in to do something like the upgrade)19:28
fungibecause we can install the mm3 containers onto the current listserv with ansible too, and then only map specific domains to it19:28
clarkbbasically I can do a 1:1 mapping, but beyond that I'm going to need a lot of catching up19:28
fungiluckily exim is already managed by ansible19:28
ianwby mailman containers do we mean -- https://github.com/maxking/docker-mailman ?\19:29
fungimaybe, or some we build ourselves19:29
fungiat this point the ubuntu packages for mailman3 in focal are likely fine too, but that's another upgrade or two to get there19:31
fungiless disruptive i think if we switch to containers for that19:31
fungibut anyway, somewhat tangential to what clarkb has written19:32
clarkb#topic General Topics19:32
*** openstack changes topic to "General Topics (Meeting topic: infra)"19:32
clarkb#topic Server Upgrades19:32
*** openstack changes topic to "Server Upgrades (Meeting topic: infra)"19:32
clarkbthe zk cluster is done. I've starting thinking about the zuul scheduler but haven't gotten to launching/writing anything yet19:32
clarkbI think the way that will look is we launch a new scheduler and have ansible ansible it without starting services. Then we schedule a time to stop existing zuul, copy data as necessary to new zuul, and then start services19:33
clarkbin theory the total downtime shouldn't be much longer than a typical zuul restart19:33
clarkbBut I need to double check the ansible actually works that way (I think it does but I don't want to be wrong and have two zuul start)19:34
fungii suppose this isn't something we want to pair with a distributed scheduler rollout19:34
clarkbI don't think so as in theory a distributed scheduler rollout could just be a second new zuul later19:35
fungi(because if we did want to, that's an awesome example of where the distributed scheduler work shines)19:35
clarkbwe don't make the distributed rollout easier by waiting19:35
fungiyeah19:35
fungimore thinking distributed scheduler could allow for a zero-downtime scheduler server upgrade19:35
fungibut the timing isn't ideal19:36
clarkbOh I also want to shrink the size of the scheduler19:37
clarkbit is currently fiarly large which helps us when we have memory leaks, but we don't have memroy leaks as often anymore and detecting them more quickly might be a good thing19:37
clarkbI'm thinking a 16GB instance instead of the current 30GB is probably good?19:37
clarkbanyway that was all I had on this19:38
fungiseems fine, yeah, we grew it in response to leaks19:38
clarkb#topic OpenEuler19:38
*** openstack changes topic to "OpenEuler (Meeting topic: infra)"19:38
clarkbianw: I haven't seen any discussion for this on the mailing list or elsewhere yet. Wanted to make sure that we pushing things that direction if still necessary19:39
ianwahh yeah sorry i haven't had any further updates19:39
ianwi guess19:40
ianw#link https://review.opendev.org/c/opendev/system-config/+/78487419:40
ianwis the outstanding task, for the mirror19:40
clarkbah ok so just need reviews (as well as someone to make the afs volume and babysit its syncing when that is happy)19:40
ianwMIRROR="rsync://root@mirrors.nju.edu.cn/openeuler" still feels odd, but at least there's no password in there now19:40
clarkb#topic InMotion cloud network reorg19:42
*** openstack changes topic to "InMotion cloud network reorg (Meeting topic: infra)"19:42
clarkbThis is mostly to call out that we're using the inmotion deployed cloud as nodepool resources now. But we are currently limited by ipv4 address availability19:42
clarkbOne thing we can try is running a zuul executor in the cloud region directly then have it talk to test nodes via private networking.19:43
clarkbThis hasn't been done by us before but corvus thought it should be doable.19:43
clarkbThere is one gotcha which is what while zuul+nodepool try really hard to garuntee all the jobs that share dependencies run in the same cloud they don't fully garuntee it19:43
clarkbbut it is probably good enough for us if we do that19:43
fungialso held nodes which land there will need temporary floating ips allocated in order to be reachable19:44
clarkbI don't think this is urgent, but wanted to call it out as an option for us there. We suspect we would at least triple our node count if we did this (from 8 to 25 ish)19:44
funginot ideal, but we have spare fip quota19:44
clarkbyup19:44
clarkbAnyway lets move on. The information is out there now :)19:45
clarkb#topic Removing our registration requirement on IRC channels19:45
*** openstack changes topic to "Removing our registration requirement on IRC channels (Meeting topic: infra)"19:45
ianwhow would the mirror work?19:45
clarkb#topic undo19:45
*** openstack changes topic to "undo (Meeting topic: infra)"19:45
clarkbianw: the mirror could remain as is with external connectivity and test nodes would NAT to it. Or we could redeploy the mirror with a floating IP and have it talk over the private network too19:46
clarkbwould be similar to how we use the rax mirrors today if we redeployed it that way19:46
ianwok, yeah i guess maybe NAT to it shortcuts the internet, maybe?19:47
ianwpresumably networking magic would keep the hops low.  seems like the easiest approach.  anyway, sorry, move on19:48
clarkb#topic Removing our registration requirement on IRC channels19:48
*** openstack changes topic to "Removing our registration requirement on IRC channels (Meeting topic: infra)"19:48
clarkbLate last week TheJulia asked if we had looked at removing our registration requirement on IRC channels19:49
clarkbI mentioned that last I checked we had seen fairly regular (but less frequent) spamming in the unregistered channel. However I looked at recent logs and we had ~1.5 spam instances over the last month19:49
clarkbOne was clearly spam. The other was a join our discord server message which may have been legit. I didn't want to check it out :)19:49
clarkbGiven that I think we can probably consider updating the accessbot acls and see what things look like afterwards? we can always put the restriction back again?19:50
clarkbbut wanted to make sure others thought this was a good idea19:50
ianwit seems fine; i mean the spam attacks come and go19:51
ianwa few weeks ago i was getting the privmsg spam again19:52
clarkbok I'll try to sort that out when I've got time19:53
clarkb#topic Switching artifact signing keys from RSA to ECC19:53
*** openstack changes topic to "Switching artifact signing keys from RSA to ECC (Meeting topic: infra)"19:53
clarkb#link https://review.opendev.org/78906219:53
clarkbfungi: want to take this one?19:53
fungimmm19:54
fungiyeah, so frickler pointed out that we might want to reconsider our previous rsa/3072 default19:54
fungiand the openstack artifact signing key rotation was overdue anyway19:55
fungii looked, and the latest release of gnu privacy guard switched the default to ecc19:55
fungithe version we've been using on bridge to generate keys supports creating ecc keys as long as you pass --expert on the command line19:55
*** hashar has quit IRC19:56
clarkbya so seems like its mostly a small docs update to show how to do the ecc keys19:56
fungiso i've taken a shot at rotating to an elliptic curve keypair for this cycle, and documented the process in that change19:56
clarkbIt looked good to me19:56
ianwoohh i am going to make sure to add a --expert argument to all future programs i write :)19:56
clarkbha19:56
fungito be clear, more recent gnupg can create ecc keys without passing --expert19:57
fungithey were just somewhat new and so hidden by default in the version shipped in ubuntu bionic (what bridge is running)19:57
clarkband if you use new gnupg you are automatically promoted to expert :)19:58
fungi#link https://review.opendev.org/789063 Replace old Wallaby cycle signing key with Xena19:59
fungithat's the actual key rotation19:59
fungiin case folks want to review and/or attest to the correctness of the key19:59
clarkbthanks for putting this together!19:59
clarkbWe are just about at time though so I'll end it here19:59
clarkbTHank you everyone19:59
clarkb#endmeeting19:59
*** openstack changes topic to "Incident management and meetings for the OpenDev sysadmins; normal discussions are in #opendev"19:59
openstackMeeting ended Tue May  4 19:59:57 2021 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)19:59
openstackMinutes:        http://eavesdrop.openstack.org/meetings/infra/2021/infra.2021-05-04-19.01.html20:00
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/infra/2021/infra.2021-05-04-19.01.txt20:00
fungii've signed it with my personal key and the wallaby signing key and pushed it to the sks keyservers20:00
openstackLog:            http://eavesdrop.openstack.org/meetings/infra/2021/infra.2021-05-04-19.01.log.html20:00
fungithanks clarkb!20:00
fungiand now it's time to start making dinner20:00
*** diablo_rojo has quit IRC23:10
*** hamalq has quit IRC23:45

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!