Thursday, 2023-03-16

clarkbinfra-root we can meet here to keep logs separated and also to have the bot track notes for us19:02
fungiwfm19:02
clarkb#startmeeting infra19:02
opendevmeetMeeting started Thu Mar 16 19:02:34 2023 UTC and is due to finish in 60 minutes.  The chair is clarkb. Information about MeetBot at http://wiki.debian.org/MeetBot.19:02
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.19:02
opendevmeetThe meeting name has been set to 'infra'19:02
clarkb#topic What do we do about docker deleting free orgs19:02
clarkb#link https://etherpad.opendev.org/p/MJTzrNTDMFyEUxi1ReSo19:03
clarkbLong story short Docker will remove access to free orgs on April 14. I believe this means we won't be able to manage our images including push new version of them to opendevorg/* and zuul/*19:03
clarkbIf I've read their comms properly the public images already there will be accessible for 30 days after April 1419:04
clarkbThis puts us in a position where we need to find a new home for the images we host at opendevorg/ and zuul/19:04
clarkbThe etherpad linked above attempts to capture what our options are19:05
clarkbWe can A) Move to a different free public registry like quay or github etc B) Host our own registry C) Apply for docker's DSOS open source program D) pay Docker to keep our existing orgs as is. THere is also a E) which is do more than one of options A-D19:06
clarkbinformal discussion between different infra-root leave me to believe that none of us are too thrilled about C or D19:06
fungiand for completeness, f) stop hosting/publishing images19:06
NeilHanlon... and move to somewhere and raise goats19:06
clarkbyup that is technically an option though likely to be the most effort of all of them due to our reliance on containers for our service deployments19:07
fungigoat farming has started to become tempting19:07
clarkbconsidering all that I believe A and B are the serious contenders here.19:07
corvusfor clarity: if we did want to do (F), i think we could still run our own tiny registry for our own operational needs19:07
corvusi'm not pushing for (F)19:08
clarkbMy personal inclination is to avoid running more services if we can. To this end I created a quay account and tested things there. I believe that quay, despite some oddities, would be a viable option for us19:08
fungiyour progress reports on quay experience in #opendev seemed promising19:08
corvusyes, based on that progress, i like: A (quay); B, F in that order.19:09
fungiand while it doesn't get us away from "some vendor-run registry that could be pulled out from under us at any moment" our communities at least have fairly strong relationships with red hat, unlike docker inc19:09
corvus[but if someone has a herd of goats ready to go, that really does make F more tempting]19:09
clarkbI think the rough setup I would advocate there is that infra-root create personal accounts via https://quay.io (you click sign in then register an account). We would then create an org for opendevorg/ and another for zuul/ and add our personal accounts to those orgs19:09
clarkbOne thing to note is that orgs appear to require an email address and that email address must be distinct19:10
fungido + extensions count as distinct?19:10
NeilHanlonthey do19:10
clarkbwhich means we'll probably want the opendevorg/ email addr to be something like infra-root+quayopendevorg@...19:10
fungigood enough for me19:10
clarkband then I'll defer to corvus on what he feels is most appropriate for zuul/ but could do similar there19:11
NeilHanlonthat is the setup, too, that we use for Rocky Linux, which seems to work well19:11
corvusthat's a little awkward for other orgs, in that it requires some interaction with infra-root19:11
clarkbNeilHanlon: thats good input that others are able to do similar19:11
clarkbcorvus: agreed19:11
corvusbut that's probably scalable to the number of orgs we're contemplating for the next little while19:11
clarkbcorvus: yup and it sounds like a lot of other ajdacent orgs/communities are already on quay and have solved this themsevles19:12
corvus(or we could ask projects like zuul to get their own secret shared mailbox, but that's a lot of work that's probably not necessary)19:12
fungiit can certainly be handled the same way as it is for dockerhub: let community leadership create accounts, set up orgs, encode secrets for zuul, done19:12
corvusfungi: right, just the email address thing is new19:12
clarkbThen once we have an org we could create an appliction/robot within that org for api access and push credentials. This is what our CI jobs would be configured with19:12
fungiyeah, they'd need e-mail addresses. most of them will probably create a gmail inbox (eww) and call it done, but whatever19:13
corvusclarkb: did the email get used for anything?  confirmation dance?19:13
clarkbAnother oddity is that if you docker image push to create a new image in quay it is by default private even if your account is private only. You can manually set this as public via the web UI or emilienM wrote a script and blog post on how to do it via the api19:13
clarkb#link https://my1.fr/blog/moving-container-images-from-docker-io-to-quay-io/19:13
clarkbcorvus: they didn't ask for confirmation now that I've double checked. When I set a docker cli password on the account to docker image push they sent me an email to alert me that this event occurred19:14
clarkboh account sign up does require a phone number, email address, and physical address. I don't know how much validation of those fields they do. They have not called or texted my phone number19:15
fungimy assumption is that those and handed directly to your friendly red hat sales team for followup19:15
clarkbbut if you sign up via https://quay.io there are fewer questions to answer than when you sign up via sso.redhat.com so I suggest signing up via quay19:16
corvusokay, so the org email address is basically something that's unused for now, but could be important later.  i think letting our orgs use infra-root+ORG@.. is reasonable in that case, and better than asking people to make gmail accounts and losing the passwords19:16
clarkbcorvus: wfm19:16
fungiyeah, i'm cool with it19:16
clarkbit is possible that the org creation process is different than the individual user process and they will validate it. I can't be sure of that yet since I did a slightly different process19:16
clarkbAnother thing I noticed is that quay's security scanning is very aggressive to the point of not being useful imo. It calls out a bunch of issues with up to date debian packages19:17
clarkbBut ya I would say that if others are comfortable creating personal accounts for quay/red hat we can start there then create orgs and then figure out what zuul job updates are required to migrate our images over19:18
clarkbeverything I've seen indicates it should be possible to automate what we need in order to create new images on quay and push to them via zuul19:18
corvussounds like we have 2 tasks there: 1) do the create public repo api call at the start of the promote job; and 2) update the docker-specific tag promote to something that works with quay19:19
corvusi can volunteer for #219:19
fungii'm assuming their security scanning is really only accurate if the images are rhel/centos/fedora based19:19
clarkbcorvus: and 3) create org in quay for opendevorg and 4) create org in quay for zuul19:20
clarkbI'm happy to do 3 once we have general agreement and more than one user account that has managed to sign up successfully19:20
corvusoh yeah that too, sorry i was just thinking of job related work19:20
NeilHanlonin my experience, it's on par with most other scanners... which is to say: mediocre on a good day19:20
clarkbcorvus: I can do 4 too fwiw but thought you might prefer to do it19:20
corvusyeah i can do #419:21
fungido we want to push in parallel to both dockerhub and quay for some period of time, or just make a hard cut-over? i guess for opendev's server images it can be a hard cut. other projects will likely migrate at their own pace19:21
clarkbI think 1) becomes easier to test once 3 and/or 4 are done since we'll be able to create an application that can talk to the API at that point19:21
clarkbI'm willing to drive 1 and can holler for help if I need it19:21
corvusmy read on the zuul community is that we probably don't really need to get specific feedback and whatever we decide here will work for zuul.19:21
corvus(specifically, everyone i've talked to in the past about this either (a) would prefer quay to dockerhub or (b) doesn't care)19:22
clarkbfungi: I think I'd just hard cutover the publication location, then we update opendev's pull locations19:22
fungipresumably zuul will do an announcement at least, opendev's server deployments likely don't even need that19:22
clarkbits not like the docker hub images are going away immediately and if we need to update for security updates anyway we're doing a build and publish and pull anyway19:22
corvusfungi: re announcement, yep, at least one19:22
clarkbwe also need to decide if we care about rebuilding imgaes multiple times or not. If we do care we should start with our base images and then their consumers19:23
clarkbbut I think we can rebuild if those move later and it will be fine too19:23
corvusi'd like to float the idea of deleting our repos from dockerhub shortly before we lose access.  that way there isn't an "official looking" repo serving content that we don't control.19:23
clarkbthats a reaosnable thing to do. I wonder if that would impact their promise to not allow name reuse. eg if you intentionally delete it vs them doing it19:24
clarkbbut I do agree not having stale images that we know are bad is preferable to potentially having bad images later19:24
fungiwe could always delete the orgs and then try to squat the same names with personal accounts19:25
fungibut yeah there could be some delay in them releasing the names, if they do19:25
clarkbit is probably sufficient to just delete our existing images within the orgs and let them do what they are going to do to the org19:25
corvusi think they're talking about the org.... i assume that would stay.  we could always create a new repo so there's at least one repo in the org.19:25
corvus"dear-docker-please-do-not-release-this-namespace"19:26
fungioh, got it, delete the repos but not necessarily the orgs19:26
corvusfungi: i'm not sure that's possible (deleting orgs)19:26
NeilHanlonsomeone in the github issue commented they removed an older org the had and the namespace wasn't cleaned up within 30 mins19:26
NeilHanloncorvus: throw in some zero width spaces or something to make it hard19:26
corvuslol19:26
clarkbI'm going to try and summarize where I think the plan is headed on the etherpad19:26
NeilHanlonjust use chatgpt /s19:27
clarkboh looks like corvus already is thanks!19:27
corvusoh i started a section at the bottom19:27
NeilHanlon(just wanted to make fungi's blood pressure rise ;) )19:27
fungithey make medication for that these days19:27
corvusnew task on that list: copy existing repos and all tags to quay.io -- i think that would be a good idea, yeah?19:27
clarkbcorvus: It was something I wondered about. I think for opendev its far less important but mostly because we just have :latest on most images except gerrit19:28
clarkbBut for zuul I think that makes a lot of sense19:28
clarkband if we are doing it for zuul we may as well do it for opendev19:28
corvustrue; that might be something i manually do for zuul then19:28
clarkbemilienm's blog/script will be useful for that19:29
clarkbsince that is essentially what it was for19:29
corvusah cool19:29
fungiis that linked in the pad?19:30
clarkbfungi: not yet I'll add it19:31
fungithanks19:31
clarkbheh corvus wins again19:31
fungii saw it in #opendev, just want to make sure we don't have to go digging it back out of our irc logs19:31
clarkbok I think we've got a good foundation for zuul/ and opendevorg/ things. This doesn't address what we'll do with other things like zookeeper mariadb etc19:33
clarkbor graphite/grafana19:33
ianwi don't want to be annoying, but i just wonder if we are setting ourselves up here to once again be disappointed by basically doing the same thing over again.  since we are have a rather large consortium behind us, perhaps we should consider using some of the resources available to the project to start this on a paid plan, and then we seem less likely to be back here having another meeting19:34
fungiwhich will depend on what decisions their communities make, i suppose?19:34
clarkbthere are two classes of image there. THe first are the "docker official" images like python, zookeeper, mariadb, debian, ubuntu and it sounds like most people expect docker to continue to maintain those19:34
clarkbbut graphite and jitsi meet we may need to watch for new image locations for those as well19:34
clarkbianw: I think we can make a decision like that further down the road (there is a "upgrade" button to do that in account settings and I assume org settings)19:35
fungiianw: assuming you mean pay for quay, we can talk to the foundation executive team and board of directors, but it may get weird with red hat also being a member of the organization19:35
clarkbianw: my concern with trying to start that way is it will slow down the move while we sort out if that is ok or even appropriate and who to pay and so on.19:35
clarkbalso once you sign up its really clear they don't expect open source orgs to pay19:36
corvusalso before you sign up that's pretty clear19:36
clarkbin particular when you create a new org the free tier is public images only and labeled "open source"19:36
clarkbI don't think any part of this plan prevents us from doing that later19:36
fungias far as paying for things, i wouldn't be surprised if red hat paying for membership in a non-profit which in turn buys services from red hat might have tax law implications, so will want to make sure we talk to the right people to nail down all the gotchas if we want to go that direction19:37
ianwnothing really stops us paying docker either, but i feel like the major concern with that is not really technical but more "they bait and switched us".  which, ok, but if RH starts imposing rate limits etc. we do have to sort of say "well we walked into that"19:39
corvusputting on my free software hippie hat for a moment -- if the norm in open source communities becomes "pay to host container images" then i do think a serious consideration of (F) -- don't publish images just like we don't publish .rpm or .deb files is worth having.  "docker build" is not actually hard for end users to run.19:39
clarkbianw: yes we could pay docker hub as well and there is potential for this or something like it to occur with quay as well. I've heard an explicit interest in not paying docker from other infra rooters. And I think those opinions are valid19:40
fungiand we do already operate on a ton of donated services which could be pulled out from under us at any time, so free dockerhub or quay aren't all that different from those19:40
clarkbWhere it gets weird paying quay is they explicitly sya they don't want money for what we are planning to do19:41
ianwi don't really want to argue this, i know everybody understands what we're getting into.  quay seems fine and i'm happy to be on board with helping switching.  just if it turns out that unlimited free repos isn't sustainable, i don't think we should be surprised, again19:41
clarkbianw: agreed19:41
clarkbfool me once etc19:42
corvusianw: i agree too.  and i don't think we have any implied or explicit SLA to our users here either.  moving stuff like this around quickly, with little notice, and even having interruptions in service should be expected, i think.19:42
fungiit's definitely worth calling out, and i wouldn't be surprised if quay is getting inundated with a flood of dockerhub evacuees too which might change their viewpoint on financial matters19:42
clarkbthe short timeline involved makes it difficult for me to say we should do something like f which is almost certainly going to be more effort19:42
corvusyeah, f is a bit "change how people think" which, you know, we don't shy away from, but also tends to have an extended time line19:43
ianwok, the fact that we even discussed this, which i don't feel like was ever discussed with dockerhub as it was pretty much assumed it would remain around forever, is probably enough19:43
clarkbok cool. And please do bring up concerns if we run into anything unexpected and new19:44
corvusi may have joked about dockerhub pulling the plug while drunk... but yes, i don't recall a serious discussion :)19:44
fungifwiw, i don't assume any gratis service will be around/available forever. we've seen enough examples ourselves that's not reasonable19:44
fungitransifex did the same to us years ago19:44
corvusyep, sounds like we're eyes wide open on this19:45
NeilHanlonfwiw, i did start conversations with some of Rocky's sponsors about the possibility of a community-owned/operated registry. of course: with all the problems which come along with that... but, I think it's not a bad idea in general to have something without a commercial interest...19:45
clarkbre other images. I'm thinking for now we should maybe keep our ears open for news on any changes to those images. And update quickly assuming they move.19:45
clarkbBut I think it may be too early to say "we need to build our own ubuntu images from scratch" and I think it highly unlikely that docker just deletes those19:45
clarkber I guess it would be debian since that is what we predominantly use for our container base19:46
clarkb#link https://github.com/jitsi/docker-jitsi-meet/issues/1502 jitsi meet move to github container registry will happen soon19:46
clarkbit wouldn't surprise me if grafana stays on docker hub19:47
clarkbseems like discussion is slowing down. Is there anything else we want to discuss around the docker hub org deletion?19:48
clarkbMaybe we've got enough sorted out to beging to make progress then resync on tuesday19:48
clarkb*to begin19:49
corvussounds like we have consensus (maybe even complete agreement) and a task list?19:49
fungii agree on the task list19:49
corvusi concur19:49
fungi#link https://wiki.debian.org/Cloud/CreateDockerImage if we do decide we need to build our own19:50
clarkbfungi: we can also fork what docker is/was doing too19:50
clarkb(I don't have an opinion on the best method but they are all open source and forkable aiui)19:50
NeilHanlon#link https://github.com/docker-library/official-images/ "Library"/"Official" image sources for many images that can be rebuilt19:51
NeilHanlonthis is "just" references to other repos, so in theory they should be reproducible19:51
clarkbsounds like that is probably it for now. We can sync up Tuesday at our normal meeting time19:52
fungii guess an #agreed is in order?19:52
clarkbsure. How about #agreed Move opendevorg and zuul container images from docker hub to quay.io. This will require modifications to zuul jobs and management of accounts/orgs in quay.io. We recognize there is a risk that we may end up in the same spot later down the road but this seems the least painful option for today.19:54
clarkbianw: ^ want to make sure I'm representing what you've said accurately19:54
fungiwfm19:54
NeilHanlonsgtm19:54
corvus++19:55
clarkb#link https://www.docker.com/blog/we-apologize-we-did-a-terrible-job-announcing-the-end-of-docker-free-teams/19:55
clarkb"We’d also like to clarify that public images will only be removed from Docker Hub if their maintainer decides to delete them."19:56
clarkbI thought we had waited long enough for clarification from them. However reading this I don't really think it changes my inclination for the plan19:56
clarkbmaybe makes it slightly less urgent? but its still not super clear so I'm more happy to move to something that is clearer19:57
NeilHanlonobviously i'm external to opendev.. but.. IMO: too little, too late19:57
corvusi think the only thing that warrants a reconsideration is: Can I migrate to a Personal account?19:57
corvusYou can migrate to a Free Team organization to a Personal account by opening a support ticket. No action will be taken against your account while your ticket is being processed.19:57
corvusthat was a question we had that was unanswered until now.19:57
corvusbut i'm still ready to proceed as agreed.19:58
fungiNeilHanlon: you don't seem all that external to me. you're participating in our discussions and helping support our testing efforts19:58
clarkbme too after skimming this.  Idon't think it functionally changes anything for us19:58
corvusaside from that clarification, it's basically "here's what we said but with more words"19:58
NeilHanlonfungi: well, thank you for that :) I'm glad to be involved with an org like opendev, and try to model what we do at Rocky after y'alls model19:59
fungi"We have assigned more staff to promptly review all applications." i guess that's their "we're sorry we ignored all your applications previously"19:59
clarkbianw: fwiw I'm happy if you nack that draft as well :)20:01
clarkbMaybe I'll leave it out of the official meeting notes just to avoid implication everyone ack'd it. But the log captures that we have general consensus if not complete consensus20:01
clarkbya I'll leave it there. Thank you everyone for the input.20:02
clarkb#endmeeting20:02
opendevmeetMeeting ended Thu Mar 16 20:02:45 2023 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)20:02
opendevmeetMinutes:        https://meetings.opendev.org/meetings/infra/2023/infra.2023-03-16-19.02.html20:02
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/infra/2023/infra.2023-03-16-19.02.txt20:02
opendevmeetLog:            https://meetings.opendev.org/meetings/infra/2023/infra.2023-03-16-19.02.log.html20:02
fungithanks!20:03
corvusclarkb: thanks (and also for the quay research)!20:03
NeilHanlonthanks all 20:05
ianwclarkb: very sorry called into another thing.  that's fine.  i don't think you even really need the last sentence, we discussed it, it's fine, we know what we're getting into20:20
clarkback20:21

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!