| *** rcernin_ has joined #openstack-infra | 00:02 | |
| *** rcernin has quit IRC | 00:03 | |
| *** signed8b_ is now known as signed8bit_Zzz | 00:03 | |
| *** dingyichen has joined #openstack-infra | 00:05 | |
| *** signed8bit_Zzz is now known as signed8b_ | 00:08 | |
| *** signed8b_ is now known as signed8bit_Zzz | 00:08 | |
| *** signed8bit_Zzz is now known as signed8b_ | 00:09 | |
| openstackgerrit | Ian Wienand proposed openstack-infra/system-config master: Support puppet5 for bionic https://review.openstack.org/589007 | 00:10 |
|---|---|---|
| ianw | cmurphy: ^ thanks for comment ... i think you're right on the paths. hopefully those added comments are correct (and the path) | 00:11 |
| ianw | I mean, I don't know if we even want to do this, in the middle of all this puppet4 work. if we get afs installing via ansible, then i'm not sure we have any bionic environments we need puppet on | 00:12 |
| clarkb | ianw: I htink it largely depends on how quickly we are able to move things from puppet to ansible | 00:16 |
| clarkb | ianw: we'll probably know a lot more about that after hte ptg | 00:16 |
| *** eharney has quit IRC | 00:18 | |
| *** tjgresha has joined #openstack-infra | 00:19 | |
| *** jamesmcarthur has joined #openstack-infra | 00:22 | |
| *** tjgresha has quit IRC | 00:27 | |
| *** signed8b_ is now known as signed8bit_Zzz | 00:28 | |
| *** rcernin has joined #openstack-infra | 00:29 | |
| *** rcernin has quit IRC | 00:29 | |
| *** rcernin has joined #openstack-infra | 00:30 | |
| tonyb | clarkb, ianw: having *something* working on bionic would be good so we can thaw the requirements repo | 00:30 |
| tonyb | ... well we can thaw it regardless but IIUC nothing will merge | 00:30 |
| clarkb | tonyb: bionic should work fine for test nodes, this is mostly a control plane for infra thing | 00:30 |
| ianw | got till 2021 ... still there's quite some logic to replicate out of puppet | 00:31 |
| tonyb | clarkb: IIRC ianw found that issue when I asked about getting https://review.openstack.org/#/c/588441/ passing | 00:32 |
| ianw | clarkb: i think the wheel builds might be a small cross-over point | 00:32 |
| *** rcernin_ has quit IRC | 00:32 | |
| clarkb | oh because we use puppet to set up afs | 00:32 |
| *** slaweq_ has joined #openstack-infra | 00:32 | |
| *** tjgresha has joined #openstack-infra | 00:33 | |
| *** zhurong has joined #openstack-infra | 00:33 | |
| clarkb | in that case maybe we just add puppet 5 because its mostly done (and puppet 4 is the leap 5 is not really a major problem) then we can move forward on wheels | 00:33 |
| ianw | someone else popped up wanting it, i can't remember who or why though | 00:33 |
| ianw | clarkb: i've got all the stuff out there for kerberos + afs via ansible -- just discussions over where to home it too | 00:34 |
| *** slaweq_ has quit IRC | 00:37 | |
| *** tjgresha has quit IRC | 00:38 | |
| *** jamesmcarthur has quit IRC | 00:39 | |
| *** bobh has joined #openstack-infra | 00:42 | |
| *** nicolasbock has quit IRC | 00:45 | |
| *** jamesmcarthur has joined #openstack-infra | 00:48 | |
| *** slaweq_ has joined #openstack-infra | 00:53 | |
| *** jpenag has joined #openstack-infra | 00:56 | |
| *** rh-jelabarre has quit IRC | 00:57 | |
| *** vivsoni has quit IRC | 00:57 | |
| *** dhill_ has quit IRC | 00:57 | |
| *** AhmadMahmoudi has quit IRC | 00:57 | |
| *** russellb has quit IRC | 00:57 | |
| *** ddurst has quit IRC | 00:57 | |
| *** gmann has quit IRC | 00:57 | |
| *** Shrews has quit IRC | 00:57 | |
| *** mpjetta has quit IRC | 00:57 | |
| *** v1k0d3n has quit IRC | 00:57 | |
| *** jpena|off has quit IRC | 00:57 | |
| *** lennyb has quit IRC | 00:57 | |
| *** DinaBelova has quit IRC | 00:57 | |
| *** yankcrime has quit IRC | 00:57 | |
| *** slaweq_ has quit IRC | 00:57 | |
| *** nicolasbock has joined #openstack-infra | 00:58 | |
| *** rh-jelabarre has joined #openstack-infra | 00:59 | |
| *** panda|ruck has quit IRC | 00:59 | |
| *** panda has joined #openstack-infra | 01:02 | |
| *** agopi has quit IRC | 01:03 | |
| *** vivsoni has joined #openstack-infra | 01:03 | |
| *** russellb has joined #openstack-infra | 01:04 | |
| *** 18WAA8G2G has joined #openstack-infra | 01:04 | |
| *** AhmadMahmoudi has joined #openstack-infra | 01:04 | |
| *** ddurst has joined #openstack-infra | 01:04 | |
| *** gmann has joined #openstack-infra | 01:04 | |
| *** Shrews has joined #openstack-infra | 01:04 | |
| *** v1k0d3n has joined #openstack-infra | 01:04 | |
| *** DinaBelova has joined #openstack-infra | 01:04 | |
| *** yankcrime has joined #openstack-infra | 01:04 | |
| *** 18WAA8G2G has quit IRC | 01:04 | |
| *** DinaBelova has quit IRC | 01:04 | |
| *** DinaBelova has joined #openstack-infra | 01:05 | |
| *** panda has quit IRC | 01:06 | |
| *** openstackgerrit has quit IRC | 01:06 | |
| *** panda has joined #openstack-infra | 01:07 | |
| *** slaweq_ has joined #openstack-infra | 01:11 | |
| *** openstackgerrit has joined #openstack-infra | 01:12 | |
| openstackgerrit | zhurong proposed openstack-infra/project-config master: Add publish-to-pypi for murano-tempest-plugin https://review.openstack.org/591539 | 01:12 |
| *** slaweq_ has quit IRC | 01:16 | |
| *** hemna_ has quit IRC | 01:17 | |
| *** bobh has quit IRC | 01:22 | |
| openstackgerrit | Derek Waldner proposed openstack-infra/git-review master: Update default gerrit namespace https://review.openstack.org/584607 | 01:28 |
| ianw | hrm, now i'm looking at https://review.openstack.org/#/c/586526/ and confused if we should use puppetlabs or not | 01:28 |
| *** slaweq_ has joined #openstack-infra | 01:32 | |
| openstackgerrit | Tristan Cacqueray proposed openstack-infra/zuul master: executor: enable add_host for trusted play and update inventory https://review.openstack.org/590092 | 01:32 |
| *** mschuppert has quit IRC | 01:33 | |
| *** slaweq_ has quit IRC | 01:37 | |
| *** zhurong has quit IRC | 01:39 | |
| *** jiapei has joined #openstack-infra | 01:49 | |
| *** Goneri has quit IRC | 01:50 | |
| *** gfidente has quit IRC | 01:55 | |
| ianw | mordred: any guesses why my ssh authorized key on bridge.o.o is "ssh-rsa" and not "ssh-ed25519 "? | 02:01 |
| *** hongbin has joined #openstack-infra | 02:01 | |
| openstackgerrit | Keiichi Hikita proposed openstack-infra/project-config master: Add qinling-dashboard project https://review.openstack.org/591546 | 02:07 |
| *** jamesmcarthur has quit IRC | 02:08 | |
| *** slaweq_ has joined #openstack-infra | 02:11 | |
| *** jamesmcarthur has joined #openstack-infra | 02:12 | |
| *** zhurong has joined #openstack-infra | 02:14 | |
| *** slaweq_ has quit IRC | 02:16 | |
| *** longkb has joined #openstack-infra | 02:17 | |
| ianw | oh, i guess https://review.openstack.org/#/c/589897/ ... and haven't rerun to pick that up. so that explains that | 02:17 |
| openstackgerrit | zhurong proposed openstack-infra/project-config master: Add publish-to-pypi for solum-tempest-plugin https://review.openstack.org/591549 | 02:27 |
| *** rh-jelabarre has quit IRC | 02:30 | |
| *** slaweq_ has joined #openstack-infra | 02:32 | |
| *** russellb has left #openstack-infra | 02:34 | |
| *** psachin has joined #openstack-infra | 02:36 | |
| *** slaweq_ has quit IRC | 02:36 | |
| *** jamesmcarthur has quit IRC | 02:46 | |
| *** jamesmcarthur has joined #openstack-infra | 02:52 | |
| *** yamahata has quit IRC | 03:01 | |
| *** vivsoni has quit IRC | 03:01 | |
| *** ykarel|away has joined #openstack-infra | 03:02 | |
| *** Bhujay has joined #openstack-infra | 03:04 | |
| *** slaweq_ has joined #openstack-infra | 03:11 | |
| *** zhurong has quit IRC | 03:14 | |
| *** slaweq_ has quit IRC | 03:16 | |
| *** armax has quit IRC | 03:20 | |
| *** slaweq_ has joined #openstack-infra | 03:32 | |
| *** ykarel|away has quit IRC | 03:34 | |
| *** slaweq_ has quit IRC | 03:37 | |
| *** hongbin has quit IRC | 03:39 | |
| *** Bhujay has quit IRC | 03:40 | |
| *** jamesmcarthur has quit IRC | 03:42 | |
| *** jamesmcarthur has joined #openstack-infra | 03:52 | |
| *** slaweq_ has joined #openstack-infra | 03:53 | |
| *** udesale has joined #openstack-infra | 03:53 | |
| *** jamesmcarthur has quit IRC | 03:57 | |
| *** slaweq_ has quit IRC | 03:57 | |
| *** jiapei has quit IRC | 03:59 | |
| *** vivsoni has joined #openstack-infra | 04:00 | |
| *** jamesmcarthur has joined #openstack-infra | 04:05 | |
| *** dave-mccowan has quit IRC | 04:12 | |
| *** Bhujay has joined #openstack-infra | 04:21 | |
| *** roman_g_ has quit IRC | 04:21 | |
| *** yamahata has joined #openstack-infra | 04:25 | |
| openstackgerrit | Keiichi Hikita proposed openstack-infra/project-config master: Add qinling-dashboard project https://review.openstack.org/591546 | 04:28 |
| *** janki has joined #openstack-infra | 04:28 | |
| *** agopi has joined #openstack-infra | 04:31 | |
| *** slaweq_ has joined #openstack-infra | 04:32 | |
| *** slaweq_ has quit IRC | 04:36 | |
| *** jamesmcarthur has quit IRC | 04:41 | |
| *** dingyichen has quit IRC | 04:52 | |
| *** ykarel|away has joined #openstack-infra | 05:05 | |
| *** gyee has quit IRC | 05:05 | |
| *** slaweq_ has joined #openstack-infra | 05:11 | |
| *** ykarel|away is now known as ykarel | 05:11 | |
| openstackgerrit | Ian Wienand proposed openstack-infra/infra-specs master: letsencrypt spec https://review.openstack.org/587283 | 05:14 |
| ianw | clarkb / mordred / fungi: ^ updated, and I can't think of anything else i want to say in there, so ready for actual review | 05:15 |
| *** slaweq_ has quit IRC | 05:16 | |
| *** Tengu_ is now known as Tengu | 05:25 | |
| *** apetrich has joined #openstack-infra | 05:26 | |
| *** jamesmcarthur has joined #openstack-infra | 05:27 | |
| *** jamesmcarthur has quit IRC | 05:32 | |
| *** slaweq_ has joined #openstack-infra | 05:32 | |
| *** slaweq_ has quit IRC | 05:37 | |
| *** slaweq_ has joined #openstack-infra | 05:53 | |
| openstackgerrit | Keiichi Hikita proposed openstack-infra/project-config master: Add qinling-dashboard project https://review.openstack.org/591546 | 05:55 |
| *** slaweq_ has quit IRC | 05:57 | |
| *** jamesmcarthur has joined #openstack-infra | 06:00 | |
| *** jamesmcarthur has quit IRC | 06:05 | |
| openstackgerrit | Keiichi Hikita proposed openstack-infra/project-config master: Add qinling-dashboard project https://review.openstack.org/591546 | 06:05 |
| *** vivsoni has quit IRC | 06:13 | |
| *** odyssey4me has quit IRC | 06:14 | |
| *** odyssey4me has joined #openstack-infra | 06:14 | |
| openstackgerrit | Ian Wienand proposed openstack-infra/infra-specs master: Direction setting for 3rd Party CI https://review.openstack.org/563849 | 06:24 |
| *** slaweq_ has joined #openstack-infra | 06:32 | |
| *** slaweq_ has quit IRC | 06:36 | |
| ianw | we're getting a bunch of timeouts to hosts booting in rax | 06:37 |
| ianw | not really a lot helpful ... http://paste.openstack.org/show/727972/ ... just can't ssh to it | 06:38 |
| ianw | it's across centos7, trusty and debian-stable from what i can tell | 06:41 |
| ianw | i wonder what they all have in common? python2 comes to mind ... | 06:41 |
| AJaeger | do we have new images? | 06:44 |
| *** pcaruana has joined #openstack-infra | 06:44 | |
| AJaeger | ianw: https://review.openstack.org/591446 is one change that comes to mind | 06:44 |
| ianw | AJaeger: not really .... http://nl01.openstack.org/image-list | 06:44 |
| openstackgerrit | Markus Hosch proposed openstack-infra/nodepool master: Move sphinx + deps to doc/requirements.txt https://review.openstack.org/591565 | 06:47 |
| AJaeger | ianw: those three platforms all have the new change - but if this just occured now... | 06:48 |
| AJaeger | so, looks like those have an age of up to 8h - the change merged more than 12 hours ago. | 06:49 |
| AJaeger | ianw: sorry, no other ideas | 06:50 |
| AJaeger | the new images are in other clouds - so why do they fail in rax but work elsewhere? | 06:50 |
| *** slaweq_ has joined #openstack-infra | 06:53 | |
| ianw | AJaeger: gotta duck out for a bit, but will try and take a look. i'm trying to manually boot a centos7 node in rax to see if we can get anything from console | 06:54 |
| AJaeger | ianw: understood - thanks. Let's see whether another infra-root is around - plan b is always to shut down rax for now to have time to investigate. | 06:56 |
| *** slaweq_ has quit IRC | 06:57 | |
| *** slaweq_ has joined #openstack-infra | 07:00 | |
| *** ccamacho has joined #openstack-infra | 07:01 | |
| *** rcernin has quit IRC | 07:02 | |
| *** amoralej|off is now known as amoralej | 07:09 | |
| *** e0ne has joined #openstack-infra | 07:18 | |
| *** olivierbourdon38 has joined #openstack-infra | 07:39 | |
| ianw | well there's been no dib release, and no glean release | 07:45 |
| *** holser_ has joined #openstack-infra | 07:47 | |
| ianw | i can't tell anything from the centos boot console. on my test, i can't see it even gets a network | 07:48 |
| ianw | but that's different to the nodepool booted hosts, they reject the ssh connection | 07:49 |
| *** janki is now known as janki|lunch | 07:52 | |
| *** ykarel is now known as ykarel|lunch | 07:56 | |
| *** alexchadin has joined #openstack-infra | 07:57 | |
| *** jpich has joined #openstack-infra | 07:59 | |
| *** gfidente has joined #openstack-infra | 08:03 | |
| ianw | here's the console for a trusty host https://imgur.com/a/NXQy8L8 | 08:10 |
| *** Bhujay has quit IRC | 08:10 | |
| ianw | ubuntu-trusty-1534208569 ... ready | 00:05:11:22 | 08:10 |
| *** openstackstatus has quit IRC | 08:12 | |
| ianw | i'm rebuilding it with ubuntu-trusty-1534119483 which should be yesterday's trusty rax-dfw image ... see if that works | 08:12 |
| ianw | i would say https://nb01.openstack.org/ubuntu-trusty-0000003719.log is the old build | 08:14 |
| ianw | and https://nb02.openstack.org/ubuntu-trusty-0000003720.log is the new build | 08:14 |
| *** dtantsur|afk is now known as dtantsur | 08:15 | |
| *** jamesmcarthur has joined #openstack-infra | 08:16 | |
| *** jamesmcarthur has quit IRC | 08:20 | |
| *** yamahata has quit IRC | 08:26 | |
| *** jpenag is now known as jpena | 08:27 | |
| *** derekh has joined #openstack-infra | 08:29 | |
| *** Bhujay has joined #openstack-infra | 08:34 | |
| *** ykarel|lunch is now known as ykarel | 08:36 | |
| ianw | ok, it is definitely the new image. 9483 works, 8569 doesn't | 08:41 |
| *** kaisers has joined #openstack-infra | 08:41 | |
| *** janki|lunch is now known as janki | 08:42 | |
| ianw | /etc/ssh/sshd_config line 85: Bad yes/no argument: No | 08:44 |
| ianw | i think we found it | 08:44 |
| AJaeger | so, let'S revert https://review.openstack.org/591446 | 08:44 |
| openstackgerrit | Andreas Jaeger proposed openstack-infra/project-config master: Revert "Disable password auth on dib images" https://review.openstack.org/591588 | 08:45 |
| ianw | yes, that was from running those changes manually on a working host | 08:45 |
| AJaeger | ianw, how does the line need to look like? Lowercase no? | 08:46 |
| ianw | AJaeger: yep, replacing the "Yes" and "No" with "yes" and "no" makes sshd -t work again | 08:47 |
| ianw | back in a bit, just got to eat | 08:48 |
| *** sshnaidm|off is now known as sshnaidm | 08:48 | |
| AJaeger | ianw: so, why is the line above in the file working? it has echo "PermitRootLogin Yes", shouldn't this be lowercase as well? | 08:49 |
| AJaeger | clarkb: ^ | 08:49 |
| AJaeger | ianw: enjoy! | 08:49 |
| AJaeger | infra-root, I'll +2A the revert myself to allow us moving forward | 08:51 |
| *** jaosorior has quit IRC | 08:53 | |
| AJaeger | clarkb, ianw, interesting PermitRootLogin Yes works but PAsswordAuthentication needs lowercase no ;( Tested on my machine | 08:55 |
| *** roman_g_ has joined #openstack-infra | 09:01 | |
| openstackgerrit | Merged openstack-infra/project-config master: Revert "Disable password auth on dib images" https://review.openstack.org/591588 | 09:03 |
| *** electrofelix has joined #openstack-infra | 09:04 | |
| ianw | AJaeger: when that pulls in to nb i can delete all the bad builds | 09:06 |
| ianw | AJaeger: i'm guessing it's pretty ssh version specific, it would explain why the older distros centos7, trusty and debian-stable all failed | 09:06 |
| *** alexchadin has quit IRC | 09:07 | |
| openstackgerrit | Ian Wienand proposed openstack-infra/project-config master: Revert "Revert "Disable password auth on dib images"" https://review.openstack.org/591593 | 09:18 |
| openstackgerrit | Ghanshyam Mann proposed openstack-infra/devstack-gate master: Update grenade settings for stable/rocky https://review.openstack.org/591594 | 09:19 |
| *** markvoelker has joined #openstack-infra | 09:33 | |
| ianw | ok, the revert has made it to builders. i'll delete todays builds | 09:33 |
| *** alexchadin has joined #openstack-infra | 09:36 | |
| ianw | #status log nodepool dib images centos-7-0000009152 debian-stretch-0000000171 ubuntu-trusty-0000003720 removed, see https://review.openstack.org/591588 | 09:37 |
| ianw | no statusbot? | 09:38 |
| *** openstackstatus has joined #openstack-infra | 09:41 | |
| *** ChanServ sets mode: +v openstackstatus | 09:41 | |
| ianw | i don't know what happened, it dropped out @ 2018-08-14 08:10:08,374 and never processed anything more. i restarted it | 09:42 |
| ianw | #status log nodepool dib images centos-7-0000009152 debian-stretch-0000000171 ubuntu-trusty-0000003720 removed, see https://review.openstack.org/591588 | 09:45 |
| openstackstatus | ianw: finished logging | 09:45 |
| ianw | Launch failed for node ubuntu-xenial-rax-ord-0001315452 | 09:51 |
| ianw | i guess it's spreading | 09:51 |
| ianw | i'll just delete all the newest builds | 09:51 |
| openstackgerrit | Tristan Cacqueray proposed openstack-infra/zuul master: [wip] web: rewrite interface in react https://review.openstack.org/591604 | 09:56 |
| openstackgerrit | Ian Wienand proposed openstack-infra/project-config master: Revert "Revert "Disable password auth on dib images"" https://review.openstack.org/591593 | 09:56 |
| *** ykarel is now known as ykarel|afk | 09:58 | |
| *** dpawlik has quit IRC | 10:03 | |
| ianw | ok, nodes are launch ok now | 10:03 |
| *** dpawlik has joined #openstack-infra | 10:05 | |
| *** markvoelker has quit IRC | 10:07 | |
| ianw | not seeing any launch failures now. rebuilds are all happening. i'm stepping away, so good luck all :) | 10:10 |
| openstackgerrit | Matthieu Huin proposed openstack-infra/nodepool master: Do not abort node launch if failed node cannot be deleted https://review.openstack.org/589854 | 10:13 |
| *** panda is now known as panda|ruck | 10:24 | |
| AJaeger | thanks a lot, ianw ! Good night | 10:32 |
| openstackgerrit | Tristan Cacqueray proposed openstack-infra/zuul master: [wip] web: rewrite interface in react https://review.openstack.org/591604 | 10:40 |
| *** jamesmcarthur has joined #openstack-infra | 10:48 | |
| *** jaosorior has joined #openstack-infra | 10:51 | |
| openstackgerrit | Tristan Cacqueray proposed openstack-infra/zuul master: [wip] web: rewrite interface in react https://review.openstack.org/591604 | 10:58 |
| *** udesale has quit IRC | 10:59 | |
| *** markvoelker has joined #openstack-infra | 11:04 | |
| *** jpena is now known as jpena|lunch | 11:15 | |
| *** jaosorior has quit IRC | 11:17 | |
| *** holser_ has quit IRC | 11:17 | |
| *** jaosorior has joined #openstack-infra | 11:17 | |
| openstackgerrit | Merged openstack-infra/openstack-zuul-jobs master: Test validate-host role https://review.openstack.org/563702 | 11:21 |
| openstackgerrit | Tristan Cacqueray proposed openstack-infra/zuul master: [wip] web: rewrite interface in react https://review.openstack.org/591604 | 11:32 |
| *** rosmaita has joined #openstack-infra | 11:33 | |
| *** rh-jelabarre has joined #openstack-infra | 11:34 | |
| *** markvoelker has quit IRC | 11:37 | |
| *** ssbarnea has quit IRC | 11:44 | |
| *** ykarel|afk is now known as ykarel | 11:47 | |
| *** jamesmcarthur has quit IRC | 11:48 | |
| *** nicolasbock has quit IRC | 11:49 | |
| *** ssbarnea has joined #openstack-infra | 11:50 | |
| *** tpsilva has joined #openstack-infra | 11:51 | |
| *** slagle has joined #openstack-infra | 11:53 | |
| *** alexchadin has quit IRC | 11:55 | |
| *** jamesmcarthur has joined #openstack-infra | 11:59 | |
| *** boden has joined #openstack-infra | 12:05 | |
| panda|ruck | I still see node_failures in the gates | 12:05 |
| AJaeger | panda|ruck: what time? What change? | 12:06 |
| panda|ruck | http://zuul.openstack.org/status.html has some on changes at the top. At this moment 591257 has gates in node_failure | 12:07 |
| AJaeger | panda|ruck: that one started first jobs around 8:00 UTC, so while ianw was fixing stuff. We do not abort if one job fails - and the long running jobs run verrrrrrrrrrry long. | 12:09 |
| AJaeger | panda|ruck: so, that looks like expected | 12:09 |
| panda|ruck | AJaeger: ok, thanks. | 12:09 |
| *** longkb has quit IRC | 12:13 | |
| *** holser_ has joined #openstack-infra | 12:17 | |
| *** dpawlik has quit IRC | 12:20 | |
| slagle | pabelanger: are the ci images built by nodepool published anywhere they can be downloaded? | 12:21 |
| *** jpena|lunch is now known as jpena | 12:21 | |
| *** jamesmcarthur has quit IRC | 12:22 | |
| AJaeger | slagle: no, they are not | 12:23 |
| slagle | AJaeger: ok thanks | 12:23 |
| AJaeger | slagle: you can build it yourself - see project-config repo, file nodepool/elements/README.rst | 12:25 |
| *** trown|outtypewww is now known as trown | 12:32 | |
| *** udesale has joined #openstack-infra | 12:33 | |
| *** jaosorior has quit IRC | 12:39 | |
| *** rnoriega has quit IRC | 12:39 | |
| *** dpawlik has joined #openstack-infra | 12:42 | |
| *** dave-mccowan has joined #openstack-infra | 12:43 | |
| *** rlandy has joined #openstack-infra | 12:47 | |
| *** signed8bit_Zzz is now known as signed8b_ | 12:47 | |
| *** amoralej is now known as amoralej|lunch | 12:48 | |
| openstackgerrit | Matthieu Huin proposed openstack-infra/nodepool master: Do not abort node launch if failed node cannot be deleted https://review.openstack.org/589854 | 12:55 |
| openstackgerrit | Colleen Murphy proposed openstack-infra/puppet-openstackci master: Add beaker tests for nodepool https://review.openstack.org/577522 | 13:03 |
| *** psachin has quit IRC | 13:06 | |
| *** Bhujay has quit IRC | 13:07 | |
| *** Bhujay has joined #openstack-infra | 13:07 | |
| *** jamesmcarthur has joined #openstack-infra | 13:08 | |
| *** alexchadin has joined #openstack-infra | 13:09 | |
| *** eharney has joined #openstack-infra | 13:13 | |
| *** jamesmcarthur has quit IRC | 13:13 | |
| *** jamesmcarthur has joined #openstack-infra | 13:23 | |
| *** jcoufal has joined #openstack-infra | 13:23 | |
| *** signed8b_ is now known as signed8bit_Zzz | 13:31 | |
| *** Bhujay has quit IRC | 13:40 | |
| evrardjp | how do I investigate issues like NODE_FAILURE ? | 13:44 |
| evrardjp | #noob | 13:44 |
| *** jaosorior has joined #openstack-infra | 13:44 | |
| AJaeger | evrardjp: we fixed those problems, just recheck | 13:46 |
| evrardjp | that doesn't teach me how to fish | 13:47 |
| evrardjp | and I am eating a lot. | 13:48 |
| evrardjp | I guess I will read this chan log :D | 13:48 |
| openstackgerrit | Markus Hosch proposed openstack-infra/nodepool master: Add list of metrics provided to statsd https://review.openstack.org/590233 | 13:49 |
| AJaeger | evrardjp: read scrollback from ianw at 6:44. A NODE_FAILURE is something that needs an admin to investigate who has access to log files | 13:49 |
| openstackgerrit | Olivier Bourdon proposed openstack/diskimage-builder master: [DNM] Testing CentOS images builds on Ubuntu Xenial https://review.openstack.org/591366 | 13:49 |
| evrardjp | AJaeger: that's the answer I was expecting! | 13:49 |
| evrardjp | Thanks | 13:49 |
| *** pbourke has quit IRC | 13:54 | |
| *** amoralej|lunch is now known as amoralej | 13:54 | |
| *** pbourke has joined #openstack-infra | 13:56 | |
| *** agopi has quit IRC | 13:59 | |
| openstackgerrit | Matthieu Huin proposed openstack-infra/nodepool master: Do not abort node launch if failed node cannot be deleted https://review.openstack.org/589854 | 14:01 |
| *** bobh has joined #openstack-infra | 14:04 | |
| *** signed8bit_Zzz is now known as signed8b_ | 14:04 | |
| *** bobh has quit IRC | 14:09 | |
| *** olivierbourdon38 has quit IRC | 14:09 | |
| pabelanger | slagle: AJaeger: you can fetch them from https://nb01.openstack.org/images/ now, self-signed cert, but agree with AJaeger you should can build them locally | 14:14 |
| AJaeger | pabelanger: thanks, wasn't aware of that one. | 14:17 |
| *** alexchadin has quit IRC | 14:20 | |
| slagle | pabelanger: thanks | 14:21 |
| pabelanger | AJaeger: yah, clarkb published them a while back. They still contain our zuul user key, so wouldn't expect people to run them in production | 14:22 |
| *** agopi has joined #openstack-infra | 14:24 | |
| *** eharney has quit IRC | 14:24 | |
| *** dpawlik has quit IRC | 14:25 | |
| openstackgerrit | Mohammed Naser proposed openstack-infra/project-config master: Publish Ceilometer to PyPI https://review.openstack.org/591682 | 14:30 |
| *** jd_ has quit IRC | 14:33 | |
| *** ccamacho has quit IRC | 14:34 | |
| *** eharney has joined #openstack-infra | 14:37 | |
| clarkb | ianw: AJaeger so it needs to be "no" not "No" on newer openssh? | 14:38 |
| AJaeger | clarkb: apparently - tested even on my system | 14:38 |
| clarkb | er on older openssh I guess | 14:38 |
| AJaeger | clarkb: I see mordred just approved the change, do you want to build some images to test? | 14:39 |
| mordred | AJaeger: oh - I can remove the +A | 14:39 |
| AJaeger | mordred: I hope it's fine - worked on my machine where the "No" failed ;) | 14:39 |
| * mordred saw that AJaeger had tested it locally | 14:39 | |
| mordred | yah | 14:39 |
| clarkb | I'm fine with 'no' if you tested locally | 14:39 |
| *** olivierbourdon38 has joined #openstack-infra | 14:40 | |
| clarkb | and we can build images in foreground so it doesnt happen whem we sleep | 14:40 |
| mordred | cool | 14:40 |
| *** olivierbourdon38 has quit IRC | 14:43 | |
| openstackgerrit | Mohammed Naser proposed openstack-infra/project-config master: Publish Ceilometer to PyPI https://review.openstack.org/591682 | 14:44 |
| openstackgerrit | Merged openstack-infra/project-config master: Revert "Revert "Disable password auth on dib images"" https://review.openstack.org/591593 | 14:44 |
| *** Bhujay has joined #openstack-infra | 14:52 | |
| *** bstinson_ is now known as bstinson | 14:55 | |
| *** ccamacho has joined #openstack-infra | 14:56 | |
| *** dpawlik has joined #openstack-infra | 15:03 | |
| *** vtapia has quit IRC | 15:06 | |
| *** rpioso|afk is now known as rpioso | 15:07 | |
| *** dpawlik has quit IRC | 15:07 | |
| *** e0ne has quit IRC | 15:16 | |
| *** yamahata has joined #openstack-infra | 15:16 | |
| *** larainema has quit IRC | 15:17 | |
| *** ccamacho has quit IRC | 15:19 | |
| openstackgerrit | Markus Hosch proposed openstack-infra/nodepool master: Add list of metrics provided to statsd https://review.openstack.org/590233 | 15:20 |
| *** quite has joined #openstack-infra | 15:20 | |
| *** e0ne has joined #openstack-infra | 15:20 | |
| openstackgerrit | Doug Hellmann proposed openstack-infra/project-config master: remove job settings for Documentation repositories https://review.openstack.org/591760 | 15:25 |
| *** psachin has joined #openstack-infra | 15:25 | |
| *** armax has joined #openstack-infra | 15:27 | |
| *** gfidente has quit IRC | 15:35 | |
| *** janki has quit IRC | 15:36 | |
| clarkb | mordred: AJaeger I've triggered an ubuntu-trusty image build | 15:37 |
| clarkb | so that we can double check ssh is happy on a less used image | 15:37 |
| clarkb | I'll keep an eye on that and sorry for the earlier trouble | 15:38 |
| *** ykarel is now known as ykarel|away | 15:41 | |
| mnaser | does anyone know how to install stuff from git in requirements.txt with pbr? | 15:42 |
| mnaser | i'm at attempt/iteration #4592 | 15:42 |
| openstackgerrit | Markus Hosch proposed openstack-infra/nodepool master: Add metric for image build result https://review.openstack.org/590412 | 15:44 |
| mordred | mnaser: you can't | 15:51 |
| mnaser | mordred: darn, good to know | 15:51 |
| mordred | mnaser: I say that - hang on just a sec - I'm 99% sure we block that | 15:51 |
| mnaser | im not sure what is the best way to build something like a ceilometer pollster that needs to depend on ceilometer (that's not out of pypi) | 15:51 |
| mordred | mnaser: the best way is to get it in to pypi | 15:52 |
| *** e0ne has quit IRC | 15:52 | |
| mordred | mnaser: this is basically the situation that neutron and horizon got themselves in and is a reason why put in effort to prevent depending on git urls | 15:53 |
| mnaser | mordred: i pushed up this https://review.openstack.org/#/c/591682/ but im not sure if we can get a previous release pushed up (like at least the latest queens) | 15:53 |
| mordred | mnaser: oh - I'm sorry, I lied. it's just openstack global-requirements that prevents it | 15:53 |
| mnaser | i've tried "git+https://github.com/openstack/ceilometer.git@11.0.0#egg=ceilometer" "-e git+https://github.com/openstack/ceilometer.git@11.0.0#egg=ceilometer==11.0.0" "-e git+https://github.com/openstack/ceilometer.git@11.0.0#egg=ceilometer" "git+https://github.com/openstack/ceilometer.git@stable/queens#egg=ceilometer" and all sorts of attempts | 15:54 |
| mnaser | but tox fails to install :< | 15:54 |
| mordred | mnaser: have you tried "-e git://github.com/openstack/ceilometer/master@11.0.0#egg=ceilometer" ? | 15:54 |
| mordred | mnaser: the issue here is that we have to take requirements.txt lines and inject them into install_requires in setuptools format | 15:55 |
| mnaser | mordred: "pip install -c 'https://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt?h=stable/queens' -e /Users/mnaser/code/ceilometer-ovs --process-dependency-links --trusted-host github.com" => "Could not find a version that satisfies the requirement ceilometer (from ceilometer-ovs==0.0.1.dev2) (from versions: )" | 15:56 |
| mnaser | yeah i figured, hence i added --process-dependency-links which apparently help with that | 15:56 |
| mordred | well, they do - except pip isn't reading the requirements.txt file | 15:56 |
| *** ccamacho has joined #openstack-infra | 15:56 | |
| mordred | if you did pip install -r requirements.txt it would help ... but when you are pip installing ceilometer-ovs, pbr is reading the requirements.txt file and adding the contents to the setuptools install_requires argument | 15:57 |
| mordred | this is because our fine friends in pip land believe that using requirements.txt files in the way we use them is "wrong" for some reason | 15:57 |
| mnaser | yeah, i'm not sure how to go about doing this, i'm pretty much trying to just package these pollsters/discovery stuff into a python package | 15:57 |
| mnaser | so i need to depend on ceilometer's base plugin | 15:57 |
| mordred | instead advocating that requirements.txt files should be versionless so that a developer can choose which versions of dependencies they want to install at installation time | 15:58 |
| mordred | mnaser: WELL ... you don't HAVE to depend on ceilometer in the pollsters package | 15:58 |
| *** ykarel|away has quit IRC | 15:59 | |
| mnaser | mordred: i do because i need to be a subclass of things afaik | 15:59 |
| mordred | mnaser: you could just make a fake of the plugin interface for your unittests and then rely on integration tests | 15:59 |
| mnaser | oh that's an interesting approach | 15:59 |
| mnaser | which is way cleaner than pulling all of ceilometer in | 15:59 |
| mordred | yah. since in the real world you'll never expect just installing ceilometer-ovs would pull in ceilometer and get you a working thing | 16:00 |
| mnaser | yeah | 16:00 |
| mordred | it's really a weird kind of reverse-depend that you only need for testing | 16:00 |
| mordred | mnaser: so if you make a fake interface thing - you could also do a "try: import ceilometer except: import ceilometer-fak" or something liek that- so that pep8 would be pleased | 16:01 |
| *** gyee has joined #openstack-infra | 16:02 | |
| *** pcaruana has quit IRC | 16:02 | |
| pabelanger | mordred: clarkb: corvus: AJaeger: do we want to consider doing rework of base jobs this week? http://lists.openstack.org/pipermail/openstack-infra/2018-August/006032.html | 16:09 |
| *** rpittau has quit IRC | 16:09 | |
| pabelanger | I'm confident we won't break anything, but likely need some eyes to help land it | 16:09 |
| pabelanger | Hmm, Sigyn PM | 16:09 |
| pabelanger | doesn't like the multiple pings in a message | 16:10 |
| pabelanger | maybe we should remove it from channel while we have +r on | 16:10 |
| clarkb | pabelanger: there is a thread on the openstack dev list about that too. I'm actually wondering if the spam attack is persisting or not (+r has put us in a bubble) | 16:11 |
| *** jrist has quit IRC | 16:12 | |
| pabelanger | yah | 16:13 |
| *** jpena is now known as jpena|off | 16:13 | |
| pabelanger | clarkb: btw: bumping to ansible 2.5 seems to have worked: https://review.openstack.org/591527/ | 16:18 |
| pabelanger | however, wonder if too late in release cycle to make that change | 16:18 |
| pabelanger | guess not really an issue since it is branchless | 16:18 |
| clarkb | pabelanger: ya we may want to make that change once new branches are made | 16:18 |
| clarkb | just to avoid getting in the way | 16:18 |
| pabelanger | wfm | 16:19 |
| clarkb | trusty image build just finsihed and is uploading to clouds now | 16:20 |
| *** auristor has quit IRC | 16:21 | |
| *** auristor has joined #openstack-infra | 16:23 | |
| *** d0ugal has quit IRC | 16:28 | |
| *** jamesmcarthur has quit IRC | 16:35 | |
| *** jamesmcarthur has joined #openstack-infra | 16:37 | |
| clarkb | pabelanger: I think that happens real soon now fwiw | 16:38 |
| *** jpich has quit IRC | 16:38 | |
| clarkb | pabelanger: some projects already have the new brnach but not all | 16:38 |
| *** jrist has joined #openstack-infra | 16:38 | |
| *** ccamacho has quit IRC | 16:39 | |
| pabelanger | clarkb: yah, just seen email on ML about brancing | 16:41 |
| pabelanger | branching* | 16:41 |
| *** jamesmcarthur has quit IRC | 16:42 | |
| openstackgerrit | Paul Belanger proposed openstack-infra/openstack-zuul-jobs master: Remove legacy-opensuse-423 nodeset https://review.openstack.org/591781 | 16:46 |
| *** rlandy is now known as rlandy|brb | 16:46 | |
| clarkb | trusty image is done uploading in a few clouds now. Will watch it for unhappyness | 16:47 |
| *** jamesmcarthur has joined #openstack-infra | 16:50 | |
| openstackgerrit | Paul Belanger proposed openstack-infra/openstack-zuul-jobs master: Remove legacy-opensuse-423 nodeset https://review.openstack.org/591781 | 16:52 |
| *** udesale has quit IRC | 16:54 | |
| *** jamesmcarthur has quit IRC | 16:54 | |
| clarkb | rax-iad is building a ne wtrusty node that should boot off the new image now | 16:59 |
| fungi | do we have an unrevert up with no instead of No? | 17:01 |
| clarkb | fungi: yup | 17:02 |
| clarkb | and yes instead of Yes | 17:02 |
| clarkb | I manually triggered trusty builds to smoke test it before xenial and centos pick it up | 17:02 |
| openstackgerrit | Paul Belanger proposed openstack-infra/openstack-zuul-jobs master: Remove legacy-opensuse-423 nodeset https://review.openstack.org/591781 | 17:02 |
| mnaser | mordred: thanks for all the suggestions | 17:03 |
| fungi | clarkb: oh, the preexisting case for PermitRootLogin was also breaking image builds? how long ago did that one land? | 17:03 |
| clarkb | fungi: no it wasn't breaking them, but I think ianw changed them to be consistent and less confusing | 17:03 |
| fungi | ahh | 17:03 |
| clarkb | I'm guessing the parser accepted both Yes and yes but not No and no | 17:04 |
| *** derekh has quit IRC | 17:04 | |
| clarkb | root@23.253.156.188 cat /etc/ssh/sshd_config if you want to see it working now | 17:04 |
| AJaeger | exactly PermitRootLogin with both Yes and yes but the new set not with No but only with no ;( | 17:05 |
| AJaeger | broken parser IMHO | 17:05 |
| *** rosmaita has quit IRC | 17:05 | |
| fungi | indeed, that's weird | 17:07 |
| clarkb | computers | 17:08 |
| clarkb | and magnets | 17:08 |
| clarkb | how do they work | 17:08 |
| clarkb | completely unrelated we have top 5 worst air quality in the world right now here in portland \o/ | 17:08 |
| *** Swami has joined #openstack-infra | 17:10 | |
| clarkb | mordred: ok I am going to attempt booting a new ethercalc xenial node after our meeting today. I should attempt that on bridge.o.o at this point? | 17:10 |
| cmurphy | clarkb: what do you want to do about https://review.openstack.org/576262 , how can i make that less scary | 17:10 |
| openstackgerrit | Paul Belanger proposed openstack/diskimage-builder master: Remove legacy-opensuse-423 nodeset https://review.openstack.org/591788 | 17:10 |
| clarkb | cmurphy: I think I'm ok with it given our usage (we never use link local ipv6) | 17:11 |
| cmurphy | right | 17:11 |
| clarkb | cmurphy: maybe we double check that ianw is ok with that given we don't use link local? Possibly add a bit more to the comment explaining how it may be desireable in some cases and we are sorry if we break it for you? | 17:12 |
| cmurphy | clarkb: we can't be breaking it for anyone, on puppet 3 it won't use link local | 17:12 |
| clarkb | ah | 17:12 |
| cmurphy | this is just keeping that behavior on puppet 4 | 17:13 |
| clarkb | cmurphy: as another option can we just bind to link local and any other ipv6 addrs too? | 17:13 |
| openstackgerrit | Paul Belanger proposed openstack-infra/openstack-zuul-jobs master: Remove legacy-opensuse-423 nodeset https://review.openstack.org/591781 | 17:13 |
| clarkb | will be an extra bind in many cases but shouldn't hurt much | 17:13 |
| clarkb | oh it can't bind to link local | 17:13 |
| cmurphy | yeah that's the problem i was seeing though i don't fully understand it | 17:13 |
| clarkb | in that case ya I think we can work around it as proposed since we never use link locla ipv6 | 17:14 |
| clarkb | fungi: ^ is the esoteric network behavior whisperer though and may have ideas | 17:14 |
| *** jamesmcarthur has joined #openstack-infra | 17:16 | |
| *** yamahata has quit IRC | 17:19 | |
| * fungi fires up his esoterica processor | 17:20 | |
| *** auristor has joined #openstack-infra | 17:21 | |
| *** Bhujay has quit IRC | 17:22 | |
| *** psachin has quit IRC | 17:22 | |
| *** rlandy|brb is now known as rlandy | 17:24 | |
| *** dpawlik has joined #openstack-infra | 17:24 | |
| fungi | yeah, close but not quite. see inline comment | 17:26 |
| clarkb | fungi: does that seem to be a reasonable appraoch though? Alsoany idea why haproxy wouldn't be able to bind to the link local address? | 17:27 |
| *** dpawlik has quit IRC | 17:29 | |
| fungi | yes, approach seems fine. haproxy's reluctance to bind linklocal is probably a built-in safety measure? | 17:30 |
| fungi | even possible it avoids all addresses that don't have the global bit set (so including site-local, loopback, et cetera) | 17:30 |
| clarkb | oh internet tells me it is because link local addrs are not global and have to be scoped to the interface? | 17:31 |
| fungi | remember that with ipv6 there is a single bit software can check to see whether an address is or isn't global scope | 17:31 |
| openstackgerrit | Paul Belanger proposed openstack/diskimage-builder master: Remove legacy-opensuse-423 nodeset https://review.openstack.org/591788 | 17:31 |
| openstackgerrit | Paul Belanger proposed openstack/diskimage-builder master: Remove unsued opensuse jobs https://review.openstack.org/591797 | 17:31 |
| clarkb | given that we probably do want to just ignore link local addrs ratherthan map them onto interfaces | 17:32 |
| fungi | clarkb: yeah, you can have the same linklocal address on multiple interfaces. they're not assumed to be unique, so to know which one you're talking about you have to suffix with %something | 17:32 |
| fungi | or, i should say, you can have the same linklocal network addresses _reachable_ through multiple interfaces | 17:32 |
| fungi | and as such local interface routing is necessary | 17:33 |
| clarkb | right and binding to an address requires unique identifier | 17:33 |
| openstackgerrit | Tom Barron proposed openstack-infra/project-config master: Add publish-to-pypi for manila-tempest-plugin https://review.openstack.org/591799 | 17:37 |
| dhellmann | if I move a job definition into the master branch of my repo, can I refer to it from other branches, too? Or do I need a copy in each branch? | 17:39 |
| corvus | dhellmann: by default it will be a branch variant for the master branch and won't match changes on other branches. you can manually set its branch matcher to match all branches (or disable implied branch matchers for the project), but in the typical case, it's probably best to copy it to the other branches. | 17:42 |
| dhellmann | corvus : ok, thanks | 17:42 |
| fungi | mnaser: not sure if debian is something vexxhost is interested in helping support, but there's a thread going on the debian-devel ml right now where they're looking for somewhere not built on proprietary software to host part of their gitlab ci: https://lists.debian.org/debian-devel/2018/08/msg00187.html | 17:43 |
| fungi | or rather, gce was proposed and that elicited an "eek!" from parts of their community more vested in free software ideals | 17:44 |
| *** janki has joined #openstack-infra | 17:45 | |
| mnaser | fungi: interesting, i can reply to that and propose.. but maybe gonna dig if gitlab external storage supports openstack | 17:45 |
| *** holser_ has quit IRC | 17:45 | |
| fungi | mnaser: yeah, no clue. would be a shame if it doesn't, but then again gitlab is open-core | 17:46 |
| fungi | so wouldn't be entirely surprising | 17:47 |
| mnaser | fungi: yeah i'm not sure what 'external storage' is in the first place | 17:47 |
| openstackgerrit | Andreas Jaeger proposed openstack-infra/project-config master: Install ssl devel libs https://review.openstack.org/591803 | 17:47 |
| AJaeger | project-config build failed with a missing openssl header file, see http://logs.openstack.org/99/591799/1/check/openstack-zuul-jobs-linters/b8adf08/job-output.txt.gz#_2018-08-14_17_42_13_510138 the change above addresses this ^ | 17:48 |
| AJaeger | config-core, please review ^ | 17:48 |
| *** holser_ has joined #openstack-infra | 17:49 | |
| *** holser_ has quit IRC | 17:49 | |
| *** holser_ has joined #openstack-infra | 17:50 | |
| *** Shrews has quit IRC | 17:52 | |
| openstackgerrit | Andreas Jaeger proposed openstack-infra/project-config master: Install ssl devel libs https://review.openstack.org/591803 | 17:52 |
| AJaeger | clarkb: removed whitespace ^ | 17:53 |
| fungi | mnaser: yeah i wonder if they're referring to https://docs.gitlab.com/ee/development/file_storage.html#object-storage or maybe https://docs.gitlab.com/ee/workflow/lfs/lfs_administration.html#storing-lfs-objects-in-remote-object-storage | 17:54 |
| fungi | seems it supports any object storage fog does? | 17:54 |
| *** yamahata has joined #openstack-infra | 17:55 | |
| fungi | oh, though those are in the ee docs not the ce docs. open core bites again | 17:55 |
| *** amoralej is now known as amoralej|off | 17:59 | |
| *** holser_ has quit IRC | 18:01 | |
| AJaeger | mnaser, fungi, could either of you +2A https://review.openstack.org/591803 to update bindep.txt with needed libs? zuul-jobs and openstack-zuul-jobs have these already | 18:05 |
| AJaeger | thanks, mnaser | 18:06 |
| mnaser | np :) | 18:06 |
| *** trown is now known as trown|lunch | 18:11 | |
| openstackgerrit | Andreas Jaeger proposed openstack-infra/infra-specs master: Direction setting for 3rd Party CI https://review.openstack.org/563849 | 18:11 |
| *** eharney has quit IRC | 18:12 | |
| openstackgerrit | Merged openstack-infra/project-config master: Install ssl devel libs https://review.openstack.org/591803 | 18:15 |
| *** dtantsur is now known as dtantsur|afk | 18:15 | |
| AJaeger | pabelanger: regarding base work, I doubt that I find time to help this week with it. but if others are around, go for it... | 18:16 |
| *** jamesmcarthur has quit IRC | 18:17 | |
| *** jamesmcarthur has joined #openstack-infra | 18:20 | |
| *** electrofelix has quit IRC | 18:26 | |
| *** studarus has joined #openstack-infra | 18:30 | |
| studarus | clarkb: packet back at 100% - root cause: old compute hosts were still listed as active | 18:30 |
| *** hemna_ has joined #openstack-infra | 18:35 | |
| clarkb | studarus: interesting, and thank you for sorting that | 18:36 |
| openstackgerrit | Paul Belanger proposed openstack-infra/project-config master: Fix tools/add-projects-to-main.yaml for py36 https://review.openstack.org/591822 | 18:36 |
| pabelanger | AJaeger: ^might be of interest | 18:37 |
| pabelanger | also, seems main.yaml was unsorted? | 18:37 |
| mordred | pabelanger: that's right - it can't be sorted until line 25 | 18:40 |
| mordred | pabelanger: so I don't think anyone has written a tool to check that it is sorted after that comment | 18:40 |
| pabelanger | mordred: for some reason, my patch in 591822 changed the order | 18:41 |
| pabelanger | I don't know why yet | 18:41 |
| mordred | oh - maybe that tool _does_ deal with the ordering | 18:41 |
| mordred | and other thingswere added without it and we didn't catch that | 18:41 |
| mordred | pabelanger: yes - that's it- the add tool sure does maintain a sorted order after the comment | 18:42 |
| mordred | pabelanger: so we could probably extract similar logic to make a gate check if we wanted | 18:42 |
| pabelanger | mordred: yah, see that now | 18:43 |
| *** diablo_rojo has joined #openstack-infra | 18:47 | |
| *** Shrews has joined #openstack-infra | 18:48 | |
| *** studarus has quit IRC | 18:49 | |
| clarkb | pabelanger: isinstance({}, dict) returns True on python 3.6.5 | 18:51 |
| clarkb | pabelanger: what is that fixing? | 18:51 |
| *** trown|lunch is now known as trown | 18:53 | |
| pabelanger | clarkb: http://paste.openstack.org/show/728031/ | 18:54 |
| pabelanger | python 3.6.6 | 18:54 |
| pabelanger | atleast I think it is python failure | 18:54 |
| *** rfolco|rover has joined #openstack-infra | 18:55 | |
| clarkb | pabelanger: that traceback is incomplete | 18:55 |
| pabelanger | sorry, paste fail | 18:55 |
| pabelanger | 1 sec | 18:55 |
| pabelanger | http://paste.openstack.org/show/728032/ | 18:56 |
| clarkb | ah ruamel is being fancy with types | 18:57 |
| clarkb | I'm not sure if that is a python3.6 problem | 18:57 |
| clarkb | Meeting in a minute over in #openstack-meeting | 18:59 |
| fungi | i really despise the ruamel suite of modules | 19:01 |
| mordred | yah. collections.Mapping seems to work in 2.7 though | 19:01 |
| mordred | fungi: ++ | 19:01 |
| mordred | I'm not crazy about using them in that script | 19:01 |
| clarkb | mordred: ya the change is correct, its just not python3.6 at fault | 19:01 |
| fungi | so tightly intertwined | 19:01 |
| clarkb | its ruamel | 19:01 |
| *** eharney has joined #openstack-infra | 19:17 | |
| *** e0ne has joined #openstack-infra | 19:23 | |
| *** e0ne has quit IRC | 19:26 | |
| *** abelur has quit IRC | 19:27 | |
| *** abelur has joined #openstack-infra | 19:27 | |
| *** zxiiro has quit IRC | 19:27 | |
| *** zxiiro has joined #openstack-infra | 19:27 | |
| *** e0ne has joined #openstack-infra | 19:27 | |
| smcginnis | Gerrit ACL question - things like cinder-stable-core containing stable-maint-core is a concept entirely inside of gerrit, right? Nothing in project-config/gerrit/acls would show or affect that? | 19:33 |
| clarkb | smcginnis: correct, its group membership management | 19:34 |
| smcginnis | clarkb: OK, thanks! | 19:34 |
| openstackgerrit | Monty Taylor proposed openstack-infra/system-config master: Add system-config to roles path https://review.openstack.org/590752 | 19:38 |
| openstackgerrit | Sean McGinnis proposed openstack-infra/project-config master: Remove tagging rights for Adjutant team https://review.openstack.org/591836 | 19:38 |
| openstackgerrit | Sean McGinnis proposed openstack-infra/project-config master: Explicitly add stable-maint-core to governed repos https://review.openstack.org/591837 | 19:41 |
| *** jaosorior has quit IRC | 19:45 | |
| openstackgerrit | Paul Belanger proposed openstack-infra/openstack-zuul-jobs master: Remove legacy-opensuse-423 nodeset https://review.openstack.org/591781 | 19:56 |
| openstackgerrit | Monty Taylor proposed openstack-infra/system-config master: WIP Straw man exim variable rename possibility https://review.openstack.org/591841 | 19:56 |
| ianw | fungi: we can discuss. i don't think the idea of proxying acme requests back to a central location is actually all that unique, you can certainly find references to others who do that | 19:58 |
| *** jaosorior has joined #openstack-infra | 19:58 | |
| ianw | personally, i like that better than updating every host to have its own acme environment, it's own registration and renewal plan and inevitably it's own bugs | 19:59 |
| ianw | you just put in the one proxy on the http site, and then you get your keys as secrets. that's the idea, anyway | 20:00 |
| openstackgerrit | Paul Belanger proposed openstack-infra/project-config master: Create base-ozj base job https://review.openstack.org/587165 | 20:00 |
| openstackgerrit | Paul Belanger proposed openstack-infra/project-config master: Delete current base-minimal job https://review.openstack.org/587169 | 20:00 |
| openstackgerrit | Paul Belanger proposed openstack-infra/project-config master: Reset base-test playbooks https://review.openstack.org/587104 | 20:00 |
| openstackgerrit | Paul Belanger proposed openstack-infra/project-config master: Add base-minimal / base-minimal-test playbooks https://review.openstack.org/587105 | 20:00 |
| openstackgerrit | Paul Belanger proposed openstack-infra/project-config master: Parent base-test to base-minimal-test https://review.openstack.org/587106 | 20:00 |
| openstackgerrit | Paul Belanger proposed openstack-infra/project-config master: Parent base to base-minimal https://review.openstack.org/587107 | 20:00 |
| openstackgerrit | Paul Belanger proposed openstack-infra/project-config master: Remove base-test now defined in openstack-zuul-jobs https://review.openstack.org/587113 | 20:00 |
| clarkb | mordred: am I booting ethercalc02.openstack.org on bridge.o.o? | 20:01 |
| clarkb | mordred: and if so anything I need to know? | 20:01 |
| mordred | clarkb: no, I'd boot it on puppetmaster | 20:02 |
| clarkb | ah ok | 20:02 |
| mordred | clarkb: since the launch-node script deals with inventory cache invalidation | 20:02 |
| fungi | ianw: i get the attraction of centralizing where certbot runs, but it loses out on a lot of the positives for how it was designed to be used | 20:02 |
| fungi | in particular, it doesn't get us out of the business of managing ssl certs/keys, just reduces the pain of buying and copying them manually | 20:03 |
| mordred | clarkb: actually - that reminds me - we should update the cache invalidation code in launch-node for how that works on bridge now | 20:03 |
| fungi | ianw: basically as proposed the plan would replace the human who buys the certs with certbot, and the manual copying of them with some automation, but it's fundamentally still the same model just with many of the other drawbacks of that model | 20:05 |
| clarkb | Looking at memory usage I'm going to keep the xenial ethercalc node on the same flavor | 20:05 |
| pabelanger | clarkb: ianw: ^ rebased to clean merge conflict. But the main idea of the stack is to move base into ozj, and create base-minimal as base job in project-config. Eventually moving a lot of the roles in base-minimal into base, so we get speculative testing | 20:05 |
| corvus | fungi, ianw: aiui, if we don't mind treating the certs as disposable (with, potentially, more disruption in service when we change out hosts), we can have a more distributed model | 20:05 |
| pabelanger | lots of moving parts so avoid breaking zuul | 20:06 |
| fungi | corvus: ianw: yes, in my mind the attraction of le was to stop treating certs (and keys) as special data we have to care for and feed and shuffle around (whether with a human or with tooling) | 20:06 |
| *** jamesmcarthur has quit IRC | 20:08 | |
| fungi | fi we really want to seamlessly replace servers and don't want to rely on a certbot-dns like solution then we could of course copy keys and certs from the old server to the new one or live with a 30-second blip of the site having a snakeoil cert | 20:08 |
| ianw | fungi: i guess i was looking at another angle, which is how can we use LE with minimal disruption to all our automation. because currently basically everything assumes their key data is coming down from a hiera secret | 20:09 |
| *** slaweq_ has quit IRC | 20:09 | |
| fungi | ianw: i definitely get that, but i'd also love to see us simplify and this is a lot of additional complexity being built up to do the proxying/bootstrapping which wouldn't be necessary if we take a piecemeal migration approach | 20:10 |
| *** slaweq_ has joined #openstack-infra | 20:11 | |
| fungi | the complexity of getting certbot working consistently on all our current https-using services seems like it coule be roughly equivalent to the complexity of standing up this additinal central service and associated automation | 20:12 |
| fungi | and i apologize, i need to step away for a bit and get my hands all messy making crab cakes, but will be back in an hour or two | 20:13 |
| fungi | (if it were a less messy cooking endeavor i'd take a computer into the kitchen and continue typing) | 20:13 |
| ianw | my angle is pretty much that if the solution involves "touch several layers of puppet for each host" the practicality of that is quite painful. c.f. trusty work :) | 20:15 |
| *** slaweq_ has quit IRC | 20:15 | |
| fungi | on the other hand, the touching could be mostly deleting | 20:16 |
| fungi | but sure, makes sense | 20:16 |
| *** jcoufal has quit IRC | 20:19 | |
| ianw | i'll think on it. the prior version had things rsyncing etc which was getting even more out of hand. but i think the idea that bridge.o.o can run a role at least centralises things there | 20:19 |
| clarkb | ethercalc02 is booting, I'm going to test that it produces a working ethercalc install and if it does reduce the ttl on the dns cname then will do a shutdown, copy db content, start up again, dance along with dns change to migrate users to the new server | 20:20 |
| clarkb | then ensure backups are happy and finally delete the old trusty server | 20:21 |
| clarkb | fatal: [ethercalc02.openstack.org]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh.", "unreachable": true} | 20:23 |
| clarkb | that is curious, it was talking to the node prior to that just fine | 20:24 |
| clarkb | mordred: ^ should I be concerend about that or try again and assume cloud had a burp? | 20:24 |
| *** apetrich has quit IRC | 20:24 | |
| * clarkb reruns with --keep | 20:25 | |
| *** AhmadMahmoudi has quit IRC | 20:32 | |
| *** slaweq_ has joined #openstack-infra | 20:32 | |
| clarkb | now it is running puppet, it got past where it was before | 20:34 |
| clarkb | weird | 20:34 |
| *** slaweq_ has quit IRC | 20:36 | |
| clarkb | infra-root: https://162.242.144.125/64v8xe2lwf01 seems to be working | 20:38 |
| clarkb | any opposition to continuing with the service migration? | 20:39 |
| clarkb | going to test the db migration now | 20:41 |
| clarkb | https://162.242.144.125/fgry72wu42qw data migration seems to have worked. | 20:45 |
| *** hemna_ has quit IRC | 20:47 | |
| clarkb | I've created dns records for ethercalc02.openstack.org both forward and reverse and A and AAAA. I'm going to reduce the TTL on ethercalc.openstack.org now. Then migrate the service over once the old ttl has had long enough to roll over | 20:48 |
| clarkb | then I'll shutdown old service and new service, recopy the database, start new service | 20:48 |
| clarkb | and update dns | 20:49 |
| ianw | clarkb: fwiw lgtm | 20:50 |
| clarkb | I have noticed we backup the old service as ethercalc01 not ethercalc. I actually like this beause it means we can delete those backups in the future. But it means I'll have to do backup setup on ethercalc02 as if it were a completely new server | 20:51 |
| clarkb | I'll work on that once the transition is complete | 20:51 |
| clarkb | ethercalc CNAME already has a ttl of 5 minutes | 20:54 |
| *** dhill_ has joined #openstack-infra | 20:55 | |
| *** jaosorior has quit IRC | 20:56 | |
| *** hemna_ has joined #openstack-infra | 20:56 | |
| clarkb | alright DNS is ready for me so I'm stopping the apache, node and redis processes on ethercalc01 and 02, copying /var/lib/redis/dump.rdb from 01 to 02 then starting the trio of services on 02 and updating DNS now | 20:57 |
| clarkb | that is all done now | 21:02 |
| clarkb | https://ethercalc.openstack.org/fgry72wu42qw seems to be happy | 21:03 |
| *** diablo_rojo has quit IRC | 21:05 | |
| *** trown is now known as trown|outtypewww | 21:06 | |
| *** slaweq_ has joined #openstack-infra | 21:11 | |
| openstackgerrit | Clark Boylan proposed openstack-infra/system-config master: Backup ethercalc to hostname specific location https://review.openstack.org/591849 | 21:13 |
| clarkb | infra-root ^ if we agree on that change I'll go ahead and get backups started to that new name and do an initial run to test it | 21:14 |
| openstackgerrit | Monty Taylor proposed openstack-infra/system-config master: Shift lists exim config to ansible https://review.openstack.org/591494 | 21:15 |
| mordred | corvus: ^^ updated | 21:15 |
| *** slaweq_ has quit IRC | 21:15 | |
| openstackgerrit | Monty Taylor proposed openstack-infra/system-config master: Shift exim config for firehose and storyboard https://review.openstack.org/591495 | 21:16 |
| ianw | clarkb: mind a +2 on some easy mirror things -> https://review.openstack.org/#/c/586526/ https://review.openstack.org/#/c/577943/ https://review.openstack.org/#/c/577944/ | 21:22 |
| clarkb | ianw: sure | 21:22 |
| ianw | i can actively monitor them | 21:22 |
| *** slagle has quit IRC | 21:23 | |
| clarkb | ianw: the puppet 5 one is a neat type hack. I guess since the erb files consume that we can use arbitrary types for releases across different reprepro repos | 21:24 |
| clarkb | neat | 21:24 |
| ianw | yeah, that's the one i'm *pretty* sure works :) | 21:25 |
| clarkb | ianw: I approved the first two nd left the last with a +2 ready for approval when links are cleared out | 21:26 |
| openstackgerrit | Monty Taylor proposed openstack-infra/system-config master: Add lists exim config to ansible https://review.openstack.org/591494 | 21:26 |
| openstackgerrit | Monty Taylor proposed openstack-infra/system-config master: Add exim config for firehose and storyboard https://review.openstack.org/591495 | 21:26 |
| openstackgerrit | Monty Taylor proposed openstack-infra/system-config master: Stop running puppet from puppetmaster https://review.openstack.org/591151 | 21:26 |
| openstackgerrit | Monty Taylor proposed openstack-infra/system-config master: Start running puppet cron on bridge.openstack.org https://review.openstack.org/591152 | 21:26 |
| openstackgerrit | Monty Taylor proposed openstack-infra/system-config master: Remove base.yaml things from openstack_project::server https://review.openstack.org/585836 | 21:26 |
| mordred | clarkb, cmurphy: for new futureparser additions, could y'all make sure to add them to groups.yaml too ? | 21:27 |
| clarkb | mordred: did groups.yaml end up merging? the lsat time I checked it was still all in a proposed state. Fwiw group updates is why I asked if we should hold off on etherpad digitization. Maybe we just hold off on those too? | 21:28 |
| mordred | yes to all of the above - it's landed, but yeah, we're close enough let's just hold off on group updates | 21:28 |
| mordred | I'm hoping we can cutover tomorrow | 21:29 |
| clarkb | that wfm | 21:29 |
| clarkb | mordred: have a moment to review https://review.openstack.org/#/c/591849/1 and I'll finish up the upgrade of ethercalc to xenial | 21:29 |
| mordred | onit | 21:29 |
| openstackgerrit | Monty Taylor proposed openstack-infra/system-config master: Remove bridge from disabled and add puppet group https://review.openstack.org/591150 | 21:30 |
| openstackgerrit | Monty Taylor proposed openstack-infra/system-config master: Add lists exim config to ansible https://review.openstack.org/591494 | 21:30 |
| openstackgerrit | Monty Taylor proposed openstack-infra/system-config master: Add exim config for firehose and storyboard https://review.openstack.org/591495 | 21:30 |
| openstackgerrit | Monty Taylor proposed openstack-infra/system-config master: Stop running puppet from puppetmaster https://review.openstack.org/591151 | 21:30 |
| openstackgerrit | Monty Taylor proposed openstack-infra/system-config master: Start running puppet cron on bridge.openstack.org https://review.openstack.org/591152 | 21:30 |
| openstackgerrit | Monty Taylor proposed openstack-infra/system-config master: Remove base.yaml things from openstack_project::server https://review.openstack.org/585836 | 21:30 |
| clarkb | mordred: thanks! | 21:30 |
| mordred | infra-root: ^^ that stack should be up to date now. I pushed most of it three times just now - once to update the exim stuff with consistent variables - once move the exim fixes earlier in the stack and then a rebase to fix merge conflicts - mostly so that the differences can be reviewed for anyone who wants to before the rebase patch | 21:31 |
| *** slaweq_ has joined #openstack-infra | 21:32 | |
| cmurphy | mordred: it looks like groups.yaml is already out of date with the current groups.txt should i go ahead and update it? | 21:32 |
| clarkb | ++ to updating it then we can freeze | 21:33 |
| mordred | cmurphy: I just did in https://review.openstack.org/591150 as part of fixing merge conflicts | 21:33 |
| mordred | cmurphy: but please to review that I got it right | 21:33 |
| mordred | also - that patch should be safe to land | 21:33 |
| cmurphy | okie | 21:33 |
| mordred | in fact, that stack is all ready for review - and is safe to land up to the one I put a WIP -1 on | 21:33 |
| *** dbecker has quit IRC | 21:34 | |
| clarkb | mordred: noted, I'll work on reviews as soon as ethercalc02 is happy with reviews | 21:34 |
| clarkb | then probably plan to delete ethercalc01 tomorrow | 21:34 |
| mordred | (but even the one with a -1 on it and theones behind it are ready for review - they're just not safe to land without us ready to cutover) | 21:34 |
| mordred | actually, I should procedurable -2 that one so it's clear it's reviewable | 21:34 |
| openstackgerrit | Ian Wienand proposed openstack-infra/system-config master: Support puppet5 for bionic https://review.openstack.org/589007 | 21:35 |
| *** boden has quit IRC | 21:36 | |
| ianw | cmurphy: ^ that installed for me, may be enough to get bionic wheel builds working until we get ansible support merged, but haven't tested any of the afs puppet modules with it | 21:36 |
| *** slaweq_ has quit IRC | 21:36 | |
| cmurphy | ianw: cool | 21:37 |
| *** rh-jelabarre has quit IRC | 21:37 | |
| clarkb | first backup is running now in screen on ethercalc02 | 21:40 |
| clarkb | then once update to puppet merges we should be good for the next run at 5:37 UTC | 21:40 |
| ianw | cmurphy: do you know why the pc1 disappeared on puppet 5? i puppet collections no longer a thing? | 21:40 |
| openstackgerrit | Monty Taylor proposed openstack-infra/ansible-role-puppet master: Allow setting puppet_version explicitly https://review.openstack.org/591145 | 21:41 |
| cmurphy | ianw: yeah i think they decided that wasn't a good idea | 21:41 |
| cmurphy | they never even released more than one collection | 21:41 |
| ianw | ok, didn't know if i was missing something :) sounds like not | 21:42 |
| clarkb | that backed up surprisingly quickly. The redis db is actually quite small | 21:43 |
| clarkb | cmurphy: ianw frickler thank you for all the work to make that possible, I think the ethercalc update is basicaly done and etherpad are ready as soon as we stabilize bridge.o.o | 21:43 |
| cmurphy | clarkb: \o/ | 21:44 |
| cmurphy | clarkb: now we still need https://review.openstack.org/590030 for it though :P | 21:45 |
| clarkb | cmurphy: ya | 21:45 |
| cmurphy | i'll wait for https://review.openstack.org/591150 to merge instead of rebasing everything on top of it | 21:45 |
| clarkb | cmurphy: wfm | 21:46 |
| openstackgerrit | Merged openstack-infra/system-config master: Mirror puppet5 for Ubuntu Bionic https://review.openstack.org/586526 | 21:47 |
| clarkb | and my sandwich just arrived so eating that before reviewin the update-cfg-mgmt topic | 21:51 |
| *** slaweq_ has joined #openstack-infra | 21:53 | |
| *** jamesmcarthur has joined #openstack-infra | 21:57 | |
| openstackgerrit | Merged openstack-infra/system-config master: Remove mariadb link from mirrors https://review.openstack.org/577943 | 21:57 |
| *** slaweq_ has quit IRC | 21:57 | |
| *** jamesmcarthur has quit IRC | 21:59 | |
| *** jamesmcarthur_ has joined #openstack-infra | 21:59 | |
| openstackgerrit | Merged openstack-infra/system-config master: Backup ethercalc to hostname specific location https://review.openstack.org/591849 | 21:59 |
| *** janki has quit IRC | 22:01 | |
| *** slaweq_ has joined #openstack-infra | 22:11 | |
| clarkb | mordred: comment on https://review.openstack.org/#/c/591150/3 from cmurphy that I expect will require a new ps | 22:12 |
| *** bobh has joined #openstack-infra | 22:12 | |
| mordred | yay! | 22:12 |
| openstackgerrit | Monty Taylor proposed openstack-infra/system-config master: Remove bridge from disabled and add puppet group https://review.openstack.org/591150 | 22:15 |
| *** slaweq_ has quit IRC | 22:15 | |
| openstackgerrit | Monty Taylor proposed openstack-infra/system-config master: Add lists exim config to ansible https://review.openstack.org/591494 | 22:16 |
| mordred | cmurphy, clarkb: ^^ fixed, and also fixed the error that the integration tests caught :) | 22:17 |
| *** jamesmcarthur_ has quit IRC | 22:19 | |
| *** jamesmcarthur has joined #openstack-infra | 22:23 | |
| *** kambiz has joined #openstack-infra | 22:24 | |
| *** signed8b_ has quit IRC | 22:25 | |
| clarkb | mordred: https://review.openstack.org/#/c/591150/4/playbooks/roles/install-ansible/files/groups.yaml lists groups\d* twice is that intentional? | 22:28 |
| *** jamesmcarthur has quit IRC | 22:29 | |
| mordred | clarkb: nope | 22:30 |
| *** slaweq_ has joined #openstack-infra | 22:32 | |
| *** tpsilva has quit IRC | 22:33 | |
| clarkb | mordred: also left a thought on https://review.openstack.org/#/c/591494/6 don't really know enough about how exim config will be used to say my suggestion is better than what we have there but figured we should consider it | 22:33 |
| clarkb | #status log Ethercalc service migrated to Xenial on new ethercalc02 instance. Backups updated to push to bup-ethercalc02 remote as well. We should delete ethercalc01.openstack.org in the near future then bup-ethercalc01 in the later future. | 22:35 |
| openstackstatus | clarkb: finished logging | 22:35 |
| *** slaweq_ has quit IRC | 22:36 | |
| *** e0ne has quit IRC | 22:39 | |
| mordred | clarkb: I'll defer that one to corvus | 22:41 |
| *** bobh has quit IRC | 22:42 | |
| clarkb | mordred: I think the trade off is manipulating various toggles in ansible vs just using them as is | 22:48 |
| mordred | clarkb: yah | 22:48 |
| clarkb | ianw: fungi: please ping if you discuss the le spec again (I'm curious to listen in/participate) | 22:51 |
| fungi | sure, i'm done crab-caking and back around again | 22:51 |
| *** kei-ichi has quit IRC | 22:51 | |
| *** slaweq_ has joined #openstack-infra | 22:53 | |
| *** slaweq_ has quit IRC | 22:57 | |
| *** mattmceuen has joined #openstack-infra | 23:04 | |
| mattmceuen | Hello os-infra friends. I have a PS for a project-config add that has two +2s - if anyone felt comfortable kicking it with a +WF it would be much appreciated! https://review.openstack.org/#/c/590581/ | 23:07 |
| clarkb | mattmceuen: done | 23:09 |
| mattmceuen | thank you clarkb! Have a great night :) | 23:10 |
| openstackgerrit | Merged openstack-infra/project-config master: New Airship project - Treasuremap https://review.openstack.org/590581 | 23:20 |
| ianw | clarkb / fungi : well I think we agree there's no clear way forward with dns, so that's a good start :) | 23:23 |
| fungi | at least if we want to have zonefiles in git going through code review, the latency involved precludes having something like certbot call out to propose a patch to gerrit | 23:25 |
| clarkb | ianw: fungi: when I did my first pass review I liked the decentralized system because it was resilient. My concern was how would we coordinate that when we go from 01 to 02 like I just did with ethercalc | 23:27 |
| clarkb | thinking about that more the 02 server could just request a new cert rather than reup, but then we'd limit the number of new servers we can boot per week right? | 23:28 |
| *** rpioso is now known as rpioso|afk | 23:30 | |
| *** slaweq_ has joined #openstack-infra | 23:32 | |
| ianw | clarkb: would this be a SAN certificate situation. we have etherpad.o.o with SAN of etherpad01.o.o and etherpad02.o.o ? | 23:32 |
| clarkb | ianw: I don't think so, we typically only present the actual service name in the cert (and use dns cnames to point to the correct backend) | 23:32 |
| clarkb | ianw: but the new 02 server won't have the existing 01's cert key if we don't centralize the cert management somehow | 23:33 |
| clarkb | so it would have to request a new key be signed and that is what we are limited to doing with the rate limiter iirc | 23:33 |
| ianw | right, in the proposed model, you just "cp" the key in heira (private data, ansible, whatever) for the new host, is what i'm imagining | 23:34 |
| ianw | key material | 23:34 |
| clarkb | yup | 23:34 |
| clarkb | but I think centralizing it like that is what fungi takes objection to? | 23:35 |
| *** slaweq_ has quit IRC | 23:36 | |
| ianw | yes, (to speak for fungi) fungi's overall point is to avoid that. | 23:36 |
| ianw | I'm not 100% sure I'd agree the entire point of LE is to have organisations not have to centralise key management | 23:38 |
| clarkb | ya one upside is we'd save a few hundred usd a year | 23:39 |
| ianw | for example, it talks about creating a single account for large organisations and using that, rather than creating separate accounts | 23:39 |
| ianw | https://letsencrypt.org/docs/integration-guide/ "However, for most larger hosting providers we recommend using a single account and guarding the corresponding account key well." to be specific | 23:42 |
| openstackgerrit | Paul Belanger proposed openstack-infra/zuul master: WIP: fix tenant-conf-check for duplicate projects https://review.openstack.org/591868 | 23:45 |
| clarkb | ah interesting that also says they can adjust rate limits | 23:45 |
| *** Swami has quit IRC | 23:45 | |
| fungi | also a good point that all the servers would need the le account details. centralizing where we contact le allows us to limit exposure of that credential (at risk of increasing exposure of the ssl keys) | 23:47 |
| *** slaweq_ has joined #openstack-infra | 23:53 | |
| *** slaweq_ has quit IRC | 23:57 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!