Tuesday, 2023-05-16

clarkbjust about meetin gtime18:59
clarkb#startmeeting infra19:01
opendevmeetMeeting started Tue May 16 19:01:26 2023 UTC and is due to finish in 60 minutes.  The chair is clarkb. Information about MeetBot at http://wiki.debian.org/MeetBot.19:01
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.19:01
opendevmeetThe meeting name has been set to 'infra'19:01
clarkb#link https://lists.opendev.org/archives/list/service-discuss@lists.opendev.org/thread/34DDMF4OX5CPXU2ARFFXA66IHRFDS3F2/ Our Agenda19:01
clarkb#topic Announcements19:01
clarkbI didn't really have anythin gto announce.19:02
clarkbWhich means we can dive right in I guess19:02
clarkb#topic Migrating to Quay.io19:02
clarkb#link ttps://etherpad.opendev.org/p/opendev-quay-migration-2023 Plan/TODO list19:02
clarkbunfortunately I discovered a deficiency in docker that impacts speculative testing of container images when they are not hosted on dockerhub19:03
clarkblink https://etherpad.opendev.org/p/3anTDDTht91wLwohumzW Discovered a deficiency in Docker impacting speculative testing of container images19:03
clarkb#link https://etherpad.opendev.org/p/3anTDDTht91wLwohumzW Discovered a deficiency in Docker impacting speculative testing of container images19:03
clarkbI put together a document describing the problem and some potential solutions or workarounds.19:03
clarkbI think if we want to workaround it our best option is to build all of our images with buildx (it doesn't have the same deficiency) and then use skopeo to fetch the images out of band in testing only19:04
clarkb#link https://review.opendev.org/c/opendev/system-config/+/882977 illustration of skopeo prefetching19:04
clarkbthis change shows the skopeo workaround works and how we can apply it without impacting production19:04
clarkbI keep getting distracted but my goal is to pcik this effort up again in the near future and implement th eworkaround everywhere19:05
clarkbIf we don't like those workarounds I think we should consider rolling back to docker hub and then implementing one of the more robust long term options of switching to podman19:05
clarkbbut that represents significant effort that will liekly need to be taken slowly to ensure we don't break anything hence the idea we should rollback the container image hosting move if we do that19:06
clarkbI haven't heard a ton of feedback on whether or not people are ok with the workarounds other than fungi saying he was fine with them. Please let me know if you have thoughts19:08
clarkb#topic Bastion Host Changes19:08
ianwdoes this affect zuul as well?  or does testing there not pull?19:08
clarkbianw: it does affect zuul as well. Though less completely because zuul has k8s testing19:08
clarkband zuul is in a different tenant so depends on for opendev python base images may not work anyway?19:09
clarkb#undo19:09
opendevmeetRemoving item from minutes: #topic Bastion Host Changes19:09
corvusxhi um i said some things and didn't see a response so i don't know what the current state of lagging is19:10
clarkbI suspect that it will be much easier for zuul to move to podman and friends for CI too since the testing doesn't directly map to a production deployment anywhere19:10
clarkbcorvusx: I havne't seen any messages from you19:10
corvusxso anyway:19:10
corvusxi think the skopeo hack basically means we throw away everything we've done with speculative builds and go with a completely different approach which is potentially very fragile19:10
corvusxi mean, we have all of this speculative build stuff tested and working in zuul-jobs -- but i guess the quay stuff is only working with podman.  so it seems like that's the way we should go19:10
clarkbmy concern with that is that is likely months of effort as we go through each service one by one and figure out how permissions and stuff are affected and so on19:11
corvusxbasically, every interaction with an image is an opportunity to miss getting the speculative image19:11
clarkbwhich is fine if we want to do that bu tI think we should rollback to docker hub first19:11
corvusxpodman is supposed to be a drop-in replacement19:11
corvusxwhy would permissions be affected?19:11
clarkbbut we know it isn't19:11
clarkbcorvusx: because it runs as a regular user without a root daemon19:11
fungispecifically, what i said i was good with was rolling forward to iterate on making things work for quay (whether that means temporary workarounds or whatever) rather than rolling back to dockerhub19:12
corvusxi mean, they might have fixed whatever was wrong before?  i haven't see any issues with the bind mount stuff.19:12
clarkbcorvusx: yes the bind specific problems may be addressed. Its more as I dug into it podman-compose vs docker-compose + podman appera very different than docker-compose with docker due to podmans different design19:12
clarkbthere are also the nested podman issues that ianw hit with nodepool-builder19:12
clarkball of it should be doable, but I don't think its a week of work19:13
corvusxhow so?  i was certainly led to believe that it's a drop in by the folks who documented that in zuul19:13
clarkbcorvusx: so podman-compose is not feature complete compared to docker-compose aiui is the first thing19:13
corvusxour docker-compose usage is limited to the feature set available like 5 years ago19:14
clarkbcorvusx: for this reason you can run podman + docker-compose using podman as a daemon. But if you do that I don't know if you are stuck on old docker-compose19:14
clarkbbut then separately if I run podman as root I will get different results then when I run it as a regular user19:14
corvusxit's just our docker-compose usage is so simple i'm having a hard time believing that this could be a huge problem.  it's basically just bind mounts and host networking... if podman/podman-compose can't handle that, then i don't know why it's even a thing19:15
clarkbcorvusx: I thin kwe already hvae evidence of it being an issue though with nodepool builder running nested podman19:16
clarkbI agree ti shouldn't be an issue but then ianw pointed at some historical ones19:16
clarkbthere is also the issue of installing the toolchain on ubuntu19:16
corvusxwhat's the nodepool builder running nested podman problem (and does that have any relation to what we do on servers?)19:16
clarkbcorvusx: my undertsanding is that if you run nodepool-builder under podman then all of the diskimage builder container elements stop working because of the nesting of podman19:17
clarkbI don't know why this occurs19:17
clarkbit would affect our nodepool builder servers19:17
corvusxthat does sound like a problem19:18
ianwhttps://opendev.org/zuul/nodepool/src/branch/master/Dockerfile#L90 is the things we know about; cgroups issues19:18
corvusxso i'm still in the camp that we should not consider the skopeo thing an intermediate solution19:18
ianwi don't think anyone really knows what would happen under podman19:18
corvusxi think if we want to go that direction, we should very explicitly make a decision to completely throw out all the work we've done on this (which is fine, that's a thing we can decide)19:19
clarkbcorvusx: I'm not sure I understand why we would have to throw it all out. Th echange I pushed shows it works with all of the speculative stuff in place?19:19
corvusxbut i don't think it makes sense to do that as an interim step, because i think it's potentially very error prone (every container image interaction in any job is an opportunity to miss some place that needs to be preloaded)19:19
clarkbIt is fragile though as you hav eto be explicit about which images are potentially speculative19:19
corvusxand by the time we find and fix all those things, we will have built a completely new solution that supercedes the old one19:20
clarkbok in that case I think we need to rollback quay.io moves and then do switch to podman then move to quay.io. I don't think we can move to podman in a week. I suspect it will be months before everything since the only time we tried it blew up on us.19:20
clarkbthe first thing that will need to be solved is installing podman and friends.19:21
clarkbThen we can use system-config-run jobs to see what if anything just breaks. Then start holding nodes and sorting out the transition from one to the other19:21
corvusxwe could still consider doing the preload thing, or we could consider staying on docker19:22
corvusxi mean staying on dockerhub19:22
ianwthe workaround in system-config does mean that if someone was implementing from first principles in zuul-jobs, there's some pretty big caveats that aren't mentioned?19:22
corvusx(also, are we absolutely sure that there isn't a way to make this work?)19:22
corvusxianw: i don't follow, can you elaborate?19:23
clarkbcorvusx: I mean I'm as sure as  Ican be. There is an closed issue on moby with people saying this is still a problem as of February.19:23
clarkbDigging around in the docker config docs I can't find any indication that you can set up a mirror for anything but docker.io. Another option woul dbe writing the custom proxy thing and configuring docker daemon with an http proxy that does what we need19:24
fungiclosed as a "wontfix" by the maintainers who apparently don't see the problem with fallbacks only working for dockerhub19:24
corvusxclarkb: the proxy was the original idea and worked poorly19:24
clarkbcorvusx: ya it seems like something that would need a lot of from scratch implementation too rather than juts using an existing http proxy due to the specific behavior that is needed19:25
clarkband then potentially break when docker changes its behaviors19:25
corvusxclarkb: no i literally mean we did that and it worked poorly19:25
corvusxlike that's part of why zuul-registry is designed the way it is19:25
clarkboh I see19:26
corvusxi'm not going to say it can't be done, i'm just saying, it's not the easy way out here19:26
ianwcorvusx: i mean use-buildset-registry isn't a transparent thing if you're not pulling from docker.io?  which i think is at least a tacit assumption in zuul-jobs19:26
corvusxianw: i agree; i thought it was tested with non-docker images and thought it worked19:26
corvusxianw: so if it really is borked like that, i agree it needs a big red warning19:27
clarkbcorvusx: ianw: fwiw I think others should double check what I've found. Best I could tell gerrit 3.8 jobs failed because it couldn't find tags for 3.8 because it was talking directly to quay.io which hasn't had the newer 3.8 tag synced over19:27
clarkbbasically completely ignoring the speculative state and talking directly to quay.io19:27
fungi#link https://github.com/moby/moby/pull/34319 "Implement private registry mirror support"19:28
clarkbthen I found the issue I mentioned previously which seemed to confirm this is expected behavior19:28
fungifor reference19:28
corvusxi feel like the best approach would be to either (after switching back to dockerhub if we so wish) move to podman completely, or redesign the system based on preloading images (and doing that in a suitably generic way that we can set out rules about what jobs need to expect and do).  something based on artifact data in zuul probably (like pull-from-intermediate-registry but for individual jobs).  19:28
corvusxit will be must less transparent but should work.19:28
corvusxi think both of those have a good chance of producing a positive outcome19:29
clarkbI thought about the second option there, but I don't think you can ever pull imgaes in your actual job workload because that would overwrite what is preloaded19:29
clarkbI couldn't come up with a way to encode that in zuul-jobs as a "platform" level thing that our service deployments wouldn't immediately clobber over19:29
clarkbwhich is why I ended up wiht the role embedded in systme-config in my example change proving it works (at least minimally)19:30
corvusxclarkb: we risk getting into the weeds here, but how do we make opendev prod jobs work then?19:30
clarkbcorvusx: https://review.opendev.org/c/opendev/system-config/+/882977 illustrates it19:31
corvusxyeah i'm reading it19:31
clarkbcorvusx: you basically hvae your normal docker-compose pull then after that and before docker-compose up you run skopeo to sideload the image(s)19:31
corvusxright so that means that job doesn't test our production playbooks?19:32
clarkbcorvusx: I guess it depends on how you look at it. The skopeo side load only runs in CI but everything else is also tested and runs in production too19:32
corvusxright, it has a "CI=1" style flag19:32
clarkbyes but only for an additional step. It doesn't remove what runs in production19:33
clarkbso what goes into production is still tested from a code coverage perspective19:33
corvusxgot it19:34
clarkbanyawy it sounds like I should hold off on making any changes in the near future. I think it would be helpful if others can look at this and update the etherpad with their thoughts19:34
clarkbI have spent a fair bit of time digging around this proble mand workarounds and ended up with that workaround.19:34
clarkbI don't think there is a straightforward solution because docker quite simply is badly designed and doesn't support this workflow despite buildx and podman etc all doing so19:34
corvusxyeah, if we look at it in a different perspective:19:35
corvusxit seems what we have in zuul-jobs is: the docker world where all the roles work together as long as you only use docker images and tools; then basically the same for podman (with the exception that it also works with docker images)19:36
fungiit does seem rather balkanized19:36
corvusxso if we like what we have been using, then it seems like we're drawn toward "use podman family of tools".  and if we're willing to accept a different method of building and testing things (with much less magic and more explicit decisions about when and where we use speculative images) then we open the door to preloading19:37
clarkbin my mind the workaround with explicit decisions is ideally a short/mid term workaround that we employ to complete the migration to quay.io. Then we continue to move to podman19:38
clarkbbecause clearly docker is a problem here ( we want to move to quay.io for a different problem too)19:38
clarkbas an alternativ ewe can stay on docker hub and move to podman then move to quay.io19:38
clarkbI guess it depends on which chnage we feel is a priority19:39
corvusxokay, let me try to be convinced of skopeo as a workaround -- it's certainly better than what we have now since we basically have no speculative testing19:39
ianwi know it's unhelpful from the peanut gallery, but yeah, i've certainly touted the "ci == production" features of opendev deployment several times in talks, etc.  it is something that has been a big staple of the system19:39
fungiright, it seems like a question of two paths to the same destination: whether we switch the toolchain first and then the hosting location, or the other way 'round19:39
corvusxianw: yes me too.  full disclosure, i have one scheduled a few weeks from now :)  but that's not driving my strong interest -- i can still give a talk and talk about what doesn't work too :)19:40
corvusxi'm a bit worried about the nodepool thing19:40
corvusxlike does that mean it's simply not going to be possible to run it in nodepool?  does that make podman DOA for us?19:40
clarkbI'm personally happy with either approach. I've been looking at short term workarounds because quay.io migration is halfway done and completing that would be nice. But rolling back isn't the end of the world either19:40
clarkbcorvusx: I don't think it is DOA we just likely need to run it that way and figure out what random settings need to be toggled19:41
clarkbMore just that it isn't likely to be directly drop in, there is work to do I think19:41
tonybI certainly don't have the background of you all but I feel like completeing the migration then start a new wholesale tool migration to podman and co is what I'd look at19:42
clarkbas a time check we've spent most of our meeting on this topic. We can followup on this outside the meeting? There are a few other topics to dig into19:42
corvusxokay, my concern with the preload "hack" is that it's fragile and doesn't give us full test coverage.  so if migrating nodepool will take a long time then we end up with a permanent hack19:42
corvusxif we thought we could do it in a relatively short period and most of the skopeo hack work is done, then maybe that's the way to go.  but if it's really uncertain and going to take a long time, that makes me think that rollback is better.19:43
clarkbcorvusx: in that case maybe we should focus on "install podman and friends" first then we can use that to run some test jobs with podman instead of docker19:44
clarkbspend some time on that then decide if we rollback or rollforward with the workaround19:44
corvusxsounds like if we can run nodepool we're probably golden?19:44
clarkbyes I think nodepool and gerrit are the two big questions19:44
corvusxwhat's weird about gerrit?19:44
clarkbcorvusx: all of the sideband command stuff19:45
corvusxlike "docker run gerrit foo" ?19:45
corvusxer "docker exec" ?19:45
clarkbya for reindexing and all that19:45
clarkbI think a lot of it is run not exec currently so it spins up anothe rcontainer on the same bind mounts and does operations19:46
clarkbI'm less concerend this will break than nodepool builder stuff19:46
fungii guess you're saying it makes a good canary because of the additional complexity?19:46
corvusx"neat"19:46
clarkbbut I think it is good coverage of a workflow we have19:46
clarkbfungi: ya19:46
clarkbmost of our services are a few bind mounts and an http server. Super simple and basic19:46
fungigot it, so not for any specific thing that we suspect is problematic19:46
clarkbgerrit is different. nodepool-builder is different19:47
fungi(unlike the cgroups problem witnessed with nodepool)19:47
ianwmysql/mariadb dumps are another thing that calls into the running container19:47
corvusxso is anyone interested in getting nodepool-builder to work?19:47
clarkbianw: ya and gerrit would cover that too19:47
tonybI am interested but I don't have time to dedicate to it for several weeks19:48
ianwi think the "interesting" path in nodepool-builder would be the containerfile element19:48
clarkbcorvusx: I can continue to push this along if others prefer. But it might be a day or two until I can spin up testing for that (I would probably rely on system-config-run after sorting out some podman install stuff)19:48
clarkbianw: ++19:48
ianwwhich is used by fedora and rocky only.  fedora we've discussed ...19:48
clarkbbaically I think step 0 is a system-config role to install podman/buildah/skopeo/podman-compose or docker-compose with podman backing it19:49
clarkbthen we can have the CI system produce a nodepool-builder we can poke at19:49
clarkband I can do that but probably no sooner than tomorrow19:49
corvusxis there some person or group who is driving the rocky requirement that can help?19:50
ianw++ running dib gate testing will stress containerfile19:50
clarkbcorvusx: NeilHanlon and the openstack ansible group19:50
clarkbI can reach out to them once I've got the basic stuff running19:50
corvusxis fedora being removed?19:51
clarkbcorvusx: I think so no one really hicmed in saying they have a use case for it since I last prodded19:52
ianw(although now i wonder about the dib gate and if that's pulling the nodepool-builder speculatively built container properly?)19:52
corvusxianw: it is almost certainly not19:52
corvusxi do have a suggestion for a last-ditch way to avoid the nested podman problem with nodepool19:53
corvusxif we find there is no way to get it to work, we can implement my "build an image in zuul and hack nodepool-builder to upload it" idea that i mentioned in the nodepool-in-zuul spec19:54
tonybI spent a couplel of days verifying that the only thing we "loose" with switching off fedora is some newer virt stack testing and that repo is available for CentOS so it's not even a real loss19:54
clarkbtonyb: thanks for confirming19:54
clarkbcorvusx: oh thats a neat idea.19:54
corvusxessentially, anticipate the nodepool-in-zuul work (which itself would alleviate this problem) by doing the rocky build in zuul and then having the nodepool builder job for that download and upload the build19:54
clarkbok lets continue this outside the meeting. I think we have a few investigative next steps we can take in order to better understand potential impact and I'm volunteering to start on those within a day or two19:55
corvusxthat's not going to be the easiest thing (like, if the issue can be resolved by adding "--work-please" to podman, that's best) but if we literally can't make it work, that gets us out of the corner we backed ourselves into.19:55
clarkbI'm going to skip the bastion, mailman3, gerrit, server upgrades, and storyboard topics today becaus eI think the only one with any real movement since last week is the fedora topic19:56
clarkb#topic AFS volume utilization19:56
clarkbutilization is trending back up. We seem to bounce around up and down with a general trend of upwards19:56
clarkbas mentioned I asked for any last comments on whether or not people had a use case for fedora last week with the intent of making change sstarting this week19:56
clarkbthere really wasn't any "we need fedora" feedback. We got some "why no rhel? Why this why that?" feedback instead19:57
clarkb#link https://review.opendev.org/c/opendev/system-config/+/883083 Cleanup unused fedora mirror content19:57
clarkbI think this is a good step 0 that will free up fileserver disk19:57
fungisean is looking into the possibility of rhel again too19:57
fungihas another question about it into rh legal19:58
clarkbregardless of what happens to fedora this chagne should be safe as it removes unused fedora mirror content19:58
clarkbI think if we can land that in the near future it would be great19:58
clarkbthat will address the immediate lets not run out of disk on AFS problem19:58
ianw... that has been a very "looked at" thing over the years 19:58
clarkbThen separately I also think we can proceed with removing the fedora bits we are using. The first step for that would be to configure the fedora jobs to stop relying on the mirrors. Then we can clean up the mirror content that was used. Then finally we can start removing jobs and remove the images19:59
ianwi think given tonyb's input too, i don't see too much using this19:59
clarkbThe actual removal will porobably take some time as we clean up jobs. But we should be able to clean up mirrors which is the immediate concern then gracefully shutdown/remove th erest19:59
ianwone thing is maybe we should stop the mirror setup first?  i think zuul-jobs breakage might be the main pain point20:00
clarkbianw: yes thats what I said :)20:00
clarkbbasically we can keep the nodes but they can talk to upstream package repos20:00
ianw++20:00
clarkbnote https://review.opendev.org/c/opendev/system-config/+/883083 removes mirroring for content we don't have nodes for20:00
clarkbdouble check me on that but I think that means we can merge it right now20:01
clarkbbut for the bits we do use we need to stop consuming them in the jobs first and ya  Ithink that is a good first step in the shutdown of what does exist20:01
clarkband we are at time.20:01
clarkbSorry this went a bit long and we skipped over time topics20:01
clarkbFeel free to continue discussion in #opendev or on the mailing list for any thing that was missed (including the skipped topics)20:02
clarkbBut I won't keep you any longer than I already have20:02
clarkbthank you for your time today!20:02
clarkb#endmeeting20:02
opendevmeetMeeting ended Tue May 16 20:02:24 2023 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)20:02
opendevmeetMinutes:        https://meetings.opendev.org/meetings/infra/2023/infra.2023-05-16-19.01.html20:02
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/infra/2023/infra.2023-05-16-19.01.txt20:02
opendevmeetLog:            https://meetings.opendev.org/meetings/infra/2023/infra.2023-05-16-19.01.log.html20:02
corvusxor longer than i have :)20:02
corvusxthanks and sorry all :)20:02
tonybThanks everyone20:02
fungithanks!20:02
corvus...20:36

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!