Tuesday, 2024-05-28

clarkbjust about meeting time. I suspect this willbe another short one18:58
corvuso/18:59
fungii have something for open discussion which came up during the openstack tc meeting, if there's time19:00
* tonyb waves19:00
clarkb#startmeeting infra19:00
opendevmeetMeeting started Tue May 28 19:00:35 2024 UTC and is due to finish in 60 minutes.  The chair is clarkb. Information about MeetBot at http://wiki.debian.org/MeetBot.19:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.19:00
opendevmeetThe meeting name has been set to 'infra'19:00
clarkb#link https://lists.opendev.org/archives/list/service-discuss@lists.opendev.org/thread/HUXFNIX5ZHYFHSF4SRXSKN25P3CXES4E/ Our Agenda19:00
clarkbfungi: there should be plenty of time I suspect19:00
clarkb#topic Announcements19:00
clarkbThe OpenInfra Summit CFP closes tomorrow. I'm not sure what timezone that is relative to but get your proposals in if you plan to submit one19:01
clarkb#topic Upgrading Old Servers19:02
clarkbLet's dive right in19:02
clarkbtonyb it sounds like you have learned things about the wiki migration/upgrade plan. Anything new you'd like to share?19:02
tonybI have the basics fleshed out19:02
tonybI should have the container stuff published this week and hopefully enough of the service-mediawiki stuff up that we can hold a node and start looking more carefully19:03
clarkbthat sounds like good progress. Anything concerning other than the theme may have to go away?19:04
tonyb.... Unless I should also target Noble and just make mediawiki a real challenge19:04
tonybI haven't gotten far enough to verify if all the extensions work but they load so that's something19:05
clarkbhopefully the container stuff isolates us quite a bit from the underlying platform19:05
clarkbso even if we deploy on jammy moving to noble later should be more straightforward19:05
tonybYup for sure.19:05
tonybThat's the main aim19:06
tonybgetting to a newer mediawiki is kinda secondary19:06
fungiwe haven't tested deploying any servers on noble yet, so i wouldn't recommend gating this work behind figuring that out19:06
clarkbthats a good point too.19:07
fungione problem (or set of problems) at a time19:07
tonybOkay19:07
tonybI'm hoping that cacti will be easy after this ;P19:07
clarkbanything we can do to help at this point or are we waiting for the held node to poke around on?19:07
tonybI think its that one19:08
clarkbgreat I guess let us know when you get to that point. Anything else related to upgrading servers?19:08
tonybI have some "local hacks" that let me spin up a VM and then run roles etc from system-config so it's going okay and slightly faster than doing everythign in the gate19:09
tonybnothing else from me19:09
fungias far as deploying things on noble, the first one should probably be an upgrade of something we've already got in containers19:09
clarkbfungi: or a mirror node19:09
fungiyep. just to limit the amount of effort involved19:09
fungii wouldn't mix "make this work on noble" with "make this work in containers, and with ansible" was my point19:10
clarkb++19:10
tonybSounds fair19:10
fungijammy has plenty of support lifetime still19:11
clarkb#topic AFS Mirror Cleanups19:11
clarkbSpeaking of things with less lifetime I've sort of stalled on the xenial cleanup being distracted by things like gerrit and gitea upgrades19:12
clarkbhowever there is one more change in topic:drop-ubuntu-xenial that I think is landable now. Just need to recheck the change now that its depends-on has merged19:12
clarkbAnd then its back to pruning usage of xenial out where appropriate. I'll see if I find time for that soon (maybe tomorrow)19:13
clarkb#topic Gerrit 3.9 Upgrade19:13
clarkb#link https://etherpad.opendev.org/p/gerrit-upgrade-3.9 Upgrade prep and process notes19:13
clarkbIf you haven't yet it would be great if you can take a look at this document to ensure my plan looks sane and doesn't have any obvious issues19:13
clarkbwe have up to date image builds for 3.8 and 3.9 so we're upgrading from latest to latest of each release branch. And my concerns seem to be largely non issues after testing19:14
clarkbassuming nothing comes up before May 31 (Friday) at 1600 UTC I'll proceed with doing the upgrade then as previously announced19:14
clarkbThe upgrade doesn't require any schema changes to the db and all reindexing can be done online. Should make the actual process relatively quick but I still allocated an hour in case we decide to rollback (which requires offline reindexing)19:15
fungiit looks good to me, but as previously mentioned i'll be in a car all day so can't help. take my evaluation with a grain of salt ;)19:16
tonybI'll be around and and moved meetings out of the conflict zone19:16
fungii do still think this is good timing relative to release cycles of the larger communities we're hosting19:16
clarkbya I did cross check against the openstack release cycle and it looks clear. Starlingx just did a big release so expect them to be relatively quiet19:17
fungiif there are any short-term hitches, it shouldn't be too hard for them to absorb gracefully19:17
fungibut also the preliminary upgrade (and downgrade) testing has eliminated most concerns19:18
clarkbcool I peeked at 3.10 upgrade notes and I think the lucene stuff that 3.9 initially tripped over may now be somewhat intentional in the 3.10 release so that upgrade is likely to be more interesting than this one19:19
clarkbthey say the indexes are automatically rebuilt when upgrading to 3.10 from 3.9 but I get the sense that isn't via normal online reindexing and its automatic offline reindexing instead19:19
clarkbbut we'll figure that out in future testing. No need to worry about it now19:20
clarkb#topic Linaro Cloud Cert Renewal19:20
clarkbJust a reminder that this is still nearing its expiry. I think fungi mentioned possibly looking at it later as it became more urgent19:20
fungiyeah, i'm happy to serve as a last-minute backup if nobody else takes it19:21
clarkbthanks19:21
tonybI can do it later today or tomorrow19:21
clarkbdouble thanks!19:21
clarkb#topic Gitea 1.22 Upgrade19:22
clarkbThe long awaited Gitea 1.22 release has finally arrived (yesterday)19:22
fungii'll stop gripping my seat now19:22
clarkbThis change does include the updates to the doctor tool to fixup mysql dbs that we will want to apply to our databases19:22
clarkbs/change/release/19:22
clarkb#link https://review.opendev.org/c/opendev/system-config/+/920580/ Change implementing the upgrade19:22
clarkbI've gone ahead and pushed a change up that tests the upgrade (and will perform the upgrade when merged) and most things seem to be working19:23
clarkbthe appearance is changed slightly as part of some web css refactoring that I had to accomodate in our template overrides19:23
clarkbAnyway I plan to test the doctor tool on a held node for that upgrade before we upgrade anything. That said I suspect the plan will be to do the upgrade and then do the doctoring as separate steps19:24
clarkbsince the doctor fixups are not strictly required for this upgrade we'll just continue to have the same case sensitivity problems until we fix things19:24
clarkb#link https://104.130.74.99:3081/opendev/system-config Held Node19:24
tonybI did notice that 'code search' is back on the test server.  I don't know if we want to hide that in css again19:24
clarkbthis is the held node if anyone wants to take a look at the new gitea appearance or check things otherwise19:24
clarkbtonyb: were we intentioanlly hiding it before?19:25
clarkbhttps://opendev.org/explore/code I think its there today as well19:25
tonybI thought so, as it was generally not "right" in our usecase19:25
tonybHmm okay I'll look again19:25
fungii wasn't aware there was a code search link previously, maybe that's new?19:25
clarkbfungi: its in the current release too19:26
fungiit's always been reachable via the explore tab19:26
clarkboh the difference is whether it is available in the in repo view19:26
fungiahh19:26
clarkbI don't think it is a problem to have, we haven't removed codesearch because the gitea version is deficient but it isn't actively harmful as far as I can tell19:26
tonybOkay.19:27
clarkboh no its in the code repo view too just in a different spot (they really refactored the UI)19:27
tonybOoooo so it is19:28
clarkbBut ya I'm not sure its a problem and I wasn't aware that we had taken any active steps to disable it. It was more of a "we can't remove codesearch until gitea works better with search"19:28
fungiright, in my opinion we've continued to operate hound as a fallback option19:28
fungipeople can (and do) use either19:28
clarkbkeep calling out unexpected changes though. This release doesn't have a ton of "breaking" changes listed but it does seem to have a lot of user facing changes19:29
fungithey both return slightly different results19:29
fungii think the main deficiency in gitea's search is a lack of regex support, yeah?19:29
clarkbthat and it doesn't reindex things aggressively so some stuff just doesn't show up in results19:30
fungialso that it doesn't return all matches within each repo for a cross-repo search, but that's probably more of a pet peeve of mine19:30
clarkbhowever, I wonder/suspect if the db problems are related to that and fixing up the db might fix a number of these weird slightly broken behaviors we've seen19:30
fungidefinitely worth investigating further19:30
clarkbI'll dig into this upgrade more after gerrit is done19:31
clarkbuntil then let me know if you notice anything weird on the held node19:31
clarkb#topic Open Discussion19:31
clarkbAnything else?19:31
fungithe openstack tc is working on removing individual collaborators on pypi projects19:32
* gouthamr is lurking 19:32
fungithe pypi interface for doing that is clunky and there is no programmatic api available for it, so removing hundreds of collaborators on openstack deliverables is a lot of work clicking things19:33
fungione option would be to temporarily share access to the openstackci pypi account with openstack tc members so they can share the workload19:33
fungithough thinking through it, that will also be somewhat hindered by the new mfa requirement for pypi19:34
fungisince they would each need some way to access multi-factor auth credentials to that account19:35
gouthamrah; bummer19:35
clarkbtwo concerns: the account is used for more than just openstack (due to zuul multitenancy migrations being half done) and there is no way to promote an existing user like we can with gerrit group membership (for example we in the past promoted tonyb temporarily for brnach management before we grew the features and acls to just delegate that properly)19:35
fungithe fallback option is that tact sig members who have access to our openstackci account do all the work19:35
clarkbthis means that once we share the credenitals the only way to unshare them is to rotate credentials19:35
fungiyes, we'd presumably need to change the password and re-enroll the mfa with a new secret19:36
clarkbI think I'm generally ok with the idea given previous escalations of privileges to people like tonyb for other tasks as long as we keep the group small like that. But am concerned that the amount of work rotating and testing and fixing things after the fact is worse than just clicking buttons19:36
clarkbfungi: yes and then update zuul configs and test that it all still works with new new stray newlines involved19:36
fungiwell, the zuul configs should be using api keys now19:36
clarkbif we could do this programmatically then we could create a token that we revoke I think, but I guess there is no way to do that via a token and requires an actual user session?19:37
clarkbfungi: I'm operating under the assumtion we would have to roll those too19:37
clarkbbut maybe that is a bad assumption19:37
fungiyeah, from what i gather there's an open warehouse feature request to add api methods for collaborator maintenance19:37
fungii don't think password and mfa changes invalidate api keys that have been issued, but i suppose it's possible19:38
clarkbmaybe we can test that with a different account and if it doesn't invalidate/force rolling them due to exposure then the effort involved is likely much less than I feared19:39
clarkbthen we can get a small set of volunteers for a small time window before we roll the main credentials. The other concern I have is that it is difficult to audit this stuff (again due to the lack of groups and separate accounts) so keepign the window involved small helps19:40
corvusso... the end state would be that only the opendev credential has owner or maintainer status?19:41
fungiyes, for official openstack deliverables19:41
corvusi feel like that is slightly misaligned19:41
fungiit would probably be an improvement for openstack to also have more direct control over these packages19:42
corvus(in that it means that opendev is on the hook for any maintenance of the ownership list (including this situation))19:42
corvuswould it be appropriate for openstack to have its own (essentially never-used) credential for this?19:42
fungithe way i see it for now is that the openstack tact sig and opendev sysadmins are sharing that responsibility (and account), but i can see room for improvement19:43
clarkbcorvus: yes that could possibly work, but we'd still need to help in the transition work I think19:43
corvushrm, so other tenants should get their own accounts?19:43
clarkbbut in theory we'd do it once then be done19:43
fungimaking a new account for openstack raises the question of who stores and safeguards the password and mfa secret19:43
tonybCan we simulate the clicky clicky with something ike selenium?19:43
clarkbcorvus: I think long term that would be ideal. THe current account is called "openstackci" iirc19:44
clarkbyes confirmed19:44
fungitonyb: possibly, but https://xkcd.com/120519:44
corvusyeah... i'd be more comfortable with opendev being the only holder of these credentials if there were some low-impact way of us doing that maintenance (ie, script)19:44
fungiour irc accessbot is probably the closest example we have currently19:45
fricklerI can check until next week how much work this actually would be and whether I could volunteer to execute it in a reasonable time frame19:45
corvusagree, and that's pretty self-service19:45
tonybfungi: fair point19:45
fungifrickler: it's about 3 clicks per package plus re-entering the package name, and potentially several seconds wait between each operation19:46
fungier, 3 clicks per collaborator on a package, plus re-entering the collaborator's username i mean19:47
fungion each package19:47
fricklerbut usually there is only one other co-owner or multiple ones? do we know?19:47
fungipypi has a "are you really sure, type the name into this text input box to confirm you know what you're doing" step19:47
clarkbI think we can get that programmitcally as you can list all of the maintainers + owners together (it doesn't distinguish them though)19:47
fungifrickler: on some packages there are more than one19:47
fungigouthamr has a list19:48
gouthamryes; i have the extra-maintainers in a yaml dump here: 19:48
gouthamr#link https://etherpad.opendev.org/p/openstack-pypi-maintainers-cleanup#L52 19:49
clarkbside note looking at that list you should probably sort it by priority19:49
clarkba number of those are pacakges we don't care about much anymore so are less important19:49
fricklerso I can just start to work and see how it goes. and then judge how many weeks I think it might take me to go through gathering enough concentration in between19:49
fricklerand that would avoid all issues with creds rotation being needed19:51
fungialso, to be clear, the triggering event for this effort was that a historical collaborator on a package which was considered to be under the governance of openstack decided to push their own release for that project outside of what code was being maintained in gerrit, and the interest in preventing that in the future was amplified somewhat by the xz-utils compromise more recently19:51
corvusballpark that's maybe ~175 people to remove?19:51
clarkband more recently people have asked people who have moved on from poenstack to take over openstack packages because they are still listed on the pypi package19:51
clarkbanyway seems like frickler putting some effort into it to get a sense of the scale is a good first step19:53
corvusi agree with the effort; just not sure i love the idea that if anything comes up, opendev admins may be on the hook for updating pypi as packages are removed from openstack official governance.19:53
fricklergouthamr: do we actually care about (possibly soon to be) retired projects?19:53
fricklercorvus: well that's the case already for the majority of the projects anyway?19:54
corvusi have no better ideas given the current constraints; only a desire to change the constraints.  :)19:54
fungicorvus: i'm happy to reframe that as openstack tact sig representatives within the opendev sysadmins will take on those tasks as they arise, at least until we come up with a more self-service option like accessbot19:54
clarkbcorvus: what sorts of updates are you concerned about? I think much of the actual package properties and attributes can be driven through the release process. The main bit that can't is the maintainers/owners aiui19:54
corvusthe only concrete example i can think of is "hey opendev, can you add <username> to <project> because it's being released from openstack governance".19:56
clarkband yes I agree getting us out of this business is ideal, but currently we're stuck in it one way or another (we could add a second account for openstack to manage things with but that would flow through the openstackci account anyway)19:56
clarkbcorvus: ack. One option there may be to say you can't publish to the old name on pypi. But that may be problematic for other reasons (needing to update deps everywhere for example)19:56
fungiyeah, i mean, the majority of official openstack packages were *already* in this situation19:56
clarkbya I think the current proposal is still an improvement if not the ideal state. And we can revisit if we need to take additional steps to get closer to that ideal19:57
fungibecause an initial upload of a release on pypi creates the project there and adds the uploader as the only owner19:57
corvusto be clear, i'm not objecting to this work, or to frickler, or anyone else doing it.  just noting that we may be signing up for more work in the future depending on openstack project lifecycle, and that this is not as self-service as we would like.19:59
clarkbwe are just about at time now. I think it is reasonable for frickler to investigate the effort required to do this directly. Then next week at the TC meeting we can discuss the idea of package ownership having a secondary account to move us out of the dependency tree19:59
clarkbcorvus: ++19:59
fungiso anyway, the current state seems to be that frickler and i can look into sharing the work the tc is requesting, and separately we can brainstorm something like accessbot to create and add accounts on pypi (though the lack of an api for that in warehouse makes that a bit of a challenge at present)19:59
clarkbfungi: or just do another pass of adding openstackowner to all the packages20:00
fungiyeah20:00
fungiwhich i can also volunteer for if needed20:00
clarkbthen we can state "openstackci" is only used for publication. Other actions like changing owners when packages retire within openstack should be handled by the openstackowner account20:00
clarkband we are at time. Thank you everyone!20:00
tonybThanks all20:00
corvusand if there ever is an api, we can change the name of the publishing account :)20:01
clarkbI'm going to end it here since I need to eat lunch, but feel free to continue discussion in our other venues if you'd like to finish up on any of these thoughts20:01
clarkbcorvus: ++20:01
clarkb#endmeeting20:01
opendevmeetMeeting ended Tue May 28 20:01:25 2024 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)20:01
opendevmeetMinutes:        https://meetings.opendev.org/meetings/infra/2024/infra.2024-05-28-19.00.html20:01
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/infra/2024/infra.2024-05-28-19.00.txt20:01
opendevmeetLog:            https://meetings.opendev.org/meetings/infra/2024/infra.2024-05-28-19.00.log.html20:01
fungiyes, definitely20:01
* gouthamr responds to frickler late.. 20:04
gouthamrfrickler: soon-to-be retired ones, yes20:04
gouthamrthanks for the discussion here folks.. agree bringing up the "openstackowner" change in the TC room next week.. 20:07

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!