Friday, 2019-02-22

« Thursday, 2019-02-21 Index Saturday, 2019-02-23 »
*** dave-mccowan has joined #openstack-infra00:04
*** wolverineav has joined #openstack-infra00:04
clarkbI'm going to copy the stash file as that suggests and see if that fixes things00:04
*** rascasoft has joined #openstack-infra00:06
*** sdake_ has quit IRC00:08
clarkbkadmind is now running00:08
clarkbI think that was it. fungi want ot try installing the package again?00:09
*** wolverineav has quit IRC00:10
*** slaweq has joined #openstack-infra00:11
*** wolverineav has joined #openstack-infra00:12
*** agopi has joined #openstack-infra00:15
* clarkb will try00:15
*** slaweq has quit IRC00:16
clarkbfungi: package install still fails00:16
*** rascasoft has quit IRC00:16
clarkbfungi: any more ideas? maybe set -x again?00:17
*** wolverineav has quit IRC00:17
clarkbfwiw if we can sort this out and get puppet running sanely then I think I'd like to start work on replacing kdc01 by making kdc04 the master, booting a new server then updating dns as appropriate00:17
openstackgerritJames E. Blair proposed openstack-infra/system-config master: Run an haproxy load balancer for gitea  https://review.openstack.org/63803300:18
clarkbactually I think the process should be start kdc03.openstack.org and make it a slave. Then shutoff kdc01 and make kdc03 the master syncing to 0400:20
clarkbbut all that should happen once we have puppet happy00:20
fungimmm, i can check again in a sec00:22
clarkbfutureparser puppet run on kdc01 is happy00:23
*** sdake has joined #openstack-infra00:25
corvusYAAAAAAAAAAAAAAAAAAY!!! https://www.youtube.com/watch?v=QVPKI2j__uQ00:32
corvusthe first speculative execution of an unpublished docker image: http://logs.openstack.org/54/637654/9/check/system-config-run-zuul-preview/0f61f28/hosts/bridge.openstack.org/ara-report/result/0ebf64bc-f6b4-4996-be94-7531dcbae9a8/00:33
corvusmordred, clarkb, fungi, tobiash, dmsimard: ^00:36
clarkbneat00:36
corvusthat's running the image built in the jobs run for this change: https://review.openstack.org/63703700:36
openstackgerritIan Wienand proposed openstack-infra/nodepool master: Use a pipeline for dib stats  https://review.openstack.org/63826500:37
openstackgerritIan Wienand proposed openstack-infra/nodepool master: Update dib stats  https://review.openstack.org/63853300:37
clarkbfutureparser on kdc04 doesn't seem to have chagned the behavior of puppet failing on the package install there00:37
corvuswhich is in a different repo, pulled in via depends-on00:37
*** yamamoto has quit IRC00:41
*** yamamoto has joined #openstack-infra00:44
dmsimardcorvus: a lot of work has gone into that :)00:47
dmsimard++00:47
*** yamamoto has quit IRC00:48
*** rlandy is now known as rlandy|afk00:49
*** wolverineav has joined #openstack-infra00:50
clarkbfungi: I think I'm getting the same error you saw after setting -x00:52
clarkbfungi: so starting the service wasn't the only problem00:52
*** markvoelker has joined #openstack-infra00:53
*** dave-mccowan has quit IRC00:53
*** gyee has quit IRC00:54
*** sthussey has quit IRC00:54
clarkbI suspect it is unpacking the deb and using the postinst file there and not the one in /var/lib/dpkg/info because the set -x tracing stops once it reexecs into that00:55
clarkbhrm except that the command that fails is using the path that has the set -x00:56
clarkbthis would imply the problem is in the perl script01:01
fungiyeah, this is why i asked about tracing perl before01:05
clarkbok I set -x in the package .config file becuase that is what the perl script was trying to run before the postinstall script01:08
clarkband that seems to have gotten my more interesting output01:08
clarkbread -r _db_internal_line01:08
clarkb+ RET=10 krb5-admin-server/kadmind doesn't exist01:08
fungioh, good call01:08
clarkbdb_set krb5-admin-server/kadmind "$RUN_KADMIND" is what it is trying to do I think01:12
fungias for the swapping kdc01 in plan, that's still running trusty, looks like, not xenial01:12
clarkbfungi: ya so we'll add a kdc03, make kdc03 master then delete 0101:12
clarkbjust have to run down a few of these other details first. Like make package installs work and also did we save the master key info anywhere?01:13
clarkbre debconf, it is trying to set a value why wouldn't it just create the value instead of complaining thatit doesn't exist?01:14
clarkbI really know little about debconf so unsure why it is unhappywith that01:14
pabelangermordred: mnaser: what does it mean when openstacksdk is unable to fetch a remote profile? eg: http://paste.openstack.org/show/745671/01:16
clarkbok I think I understand. Those values have to be in the templates file?01:18
fungiyeah, it seems like a debconf template mismatch maybe?01:19
clarkbya I think this si saying the package is broken because it is trying to set a template value that does not exit01:19
pabelangermordred: mnaser: ok, it seems to be something related on vexxhost side. Downgrading to 0.21.0 for openstacksdk seems to work properly01:20
clarkbhttps://git.launchpad.net/ubuntu/+source/krb5/commit/debian/krb5-admin-server.templates?id=a1dde319af38d098771627855afc7717028b67fe is the change that broke us01:20
clarkbwe must literally be the only people on the planet running kerberos on xenial01:21
mnaserpabelanger, mordred oops we broke something.01:21
mnaserWe migrated our site today. I’ll have to get this fixed01:21
mnaserclarkb: we run it too! Ha01:21
clarkblooking at the latest version of that package I think we must be the only people running it on ubuntu?01:22
pabelangermnaser: ah, it might have just happened in last 4 hours or so. this was working this afternoon :)01:22
pabelangerthanks for confirming01:22
clarkboh or we are the only people that set /etc/default/krb5-admin-server RUN_KADMIND01:22
clarkblet me see if we actually need RUN_KADMIND01:22
mnaseryep01:22
pabelangerha01:23
pabelangerhttp://grafana.openstack.org/d/nuvIH5Imk/nodepool-vexxhost?orgId=1&from=now-24h&to=now01:23
pabelangerI think that might explain why nodepool isn't happy01:23
*** rascasoft has joined #openstack-infra01:23
pabelangeroh, maybe not01:24
clarkbcorvus: fungi mnaser ok I think that is it. The .config file only tries to set config if RUN_KADMIND is set to false and we set it to false on our slave node(s)01:24
pabelangermnaser: clarkb: seems vexxhost-sjc1 stopped working a few days ago01:24
clarkbcorvus: fungi mnaser is there any reason to not run kadmind on the slave node?01:24
pabelanger2/19: 1800UTC it seems01:24
clarkb(important because it is currently running)01:25
*** takamatsu_ has joined #openstack-infra01:26
*** markvoelker has quit IRC01:26
*** takamatsu has quit IRC01:26
mnaserpabelanger: maybe same reason?01:26
clarkbI'm going to stop kadmind on kdc04 now01:28
clarkbin case that is required for safety01:28
*** ijw has quit IRC01:28
fungiyeah, your findings seem correct01:28
fungiand also explains why this isn't broken on 0501:29
*** ijw has joined #openstack-infra01:29
clarkb01 you mean?01:30
clarkbmnaser: you must run kadmind on your slave(s) or only have a single node master?01:30
*** ijw has quit IRC01:30
clarkbbecause I don't see how this packaging would haev worked for slave(s) with kadmind disabled01:30
*** ijw has joined #openstack-infra01:31
fungii meant the master, but for some reason i thought that was 05. seems we don01:32
fungi't have an 0501:32
fungii guess we never finished switching fully to xenial01:32
clarkbfungi: right 01 is the trusty master. 04 is the xenial slave01:32
clarkbalso now I'm confused by systemd would even start kadmind if RUN_KADMIND is set to false01:33
*** rascasoft has quit IRC01:33
clarkboh that only matters if restarting the service01:33
clarkbif you start and stop it takes you at your word01:33
clarkbso ya we must be the only people in the world running kerberos via debuntu packaging with more than one node01:36
clarkbotherwise I don't see how this could work properly01:36
clarkbfungi: is there a dpkg flag we can set to tell it not to configure things?01:36
clarkb(though I'm not sure we want that in the no previous config case, but maybe puppet already handles that for us?)01:37
fungimmm, we can disable the initscript with update-rc2.d i think?01:37
fungier, update-rc.d01:37
clarkbfungi: you tried noninteractive right?01:38
clarkband that didn't change it?01:38
fungiyeah, tried noninteractive01:38
clarkbI think because it will still try to set that value automaticallly right than query for it01:38
clarkbi'm going to remove my set -x's now01:38
fungithat just prevents debconf from prompting you with anything01:38
funginot sure if update-rc.d is relevant for systemd either01:39
*** ijw has quit IRC01:39
clarkbno I think we'd need to do the equivalent systemd thing01:39
clarkbsystemctl disable krb5-admin-server or somesuch01:39
fungibut maybe disabling the krb5-admin-server is preferred over setting RUN_KADMIND=false01:39
clarkbya that is possible01:40
clarkbalso maybe we can get away with running kadmind on all the nodes? the docs don't seem to say tht anywhere though01:40
*** yamamoto has joined #openstack-infra01:41
*** ijw has joined #openstack-infra01:41
*** sdake has quit IRC01:44
mnaserclarkb: freeipa makes my life easy01:45
clarkbwow even better is there is a systemd unit file for this service01:46
clarkbwhich seems to ignore the defaults file01:46
*** sdake has joined #openstack-infra01:46
clarkbso maybe that is how you are expected to do things now. Ignore the defaults file and the sysv init script and enable/disable via systemctl01:47
fungiseems likely01:49
fungienable flags in defaults files sourced by initscripts were always seen as a somewhat hacky solution01:49
clarkbI'm working on a patch to puppet-kerberos01:51
clarkbthen dinner01:51
fungii have to get back to working on the walls but will take a look at whatever you push up for this01:57
openstackgerritClark Boylan proposed openstack-infra/puppet-kerberos master: Workaround broken ubuntu packaging  https://review.openstack.org/63857001:57
clarkbI think ^ will end up working around this for us01:57
clarkbfungi: also this seems like the sort of thing that package linters should catch?02:00
*** wolverineav has quit IRC02:01
fungimaybe, but honestly i don't know to what extent ubuntu enforces that and whether they may have ganked some of this from earlier debian packages02:02
clarkbfungi: it appears it is ported from debian packaging but it also seems like they just copy that over from debian?02:03
clarkbI wouldn't be surprised if debian has the same bug02:03
clarkbyes debian has the same bug in it02:04
clarkbin sid02:04
fungifun02:05
fungiworth reporting a bug i suppose02:05
clarkbya I'll file one in the morning if I can figure out debians bug system02:05
clarkbthen I can link to that from a launchpad bug02:05
fungidebian's bug system can be interfaced entirely over smtp02:06
fungithough the reportbug utility is usually preferred for putting together the report itself02:06
clarkbya I always get confused by it02:06
clarkbalso how crnaky will people be if I say "didn't actually install on debian but this happens on ubuntu and your package files aren't any different"02:07
*** bhavikdbavishi has joined #openstack-infra02:08
*** slaweq has joined #openstack-infra02:11
*** hamzy has joined #openstack-infra02:15
*** slaweq has quit IRC02:15
*** bgmccollum has quit IRC02:15
clarkbalso note that the workaround change will need manual intervention on the server to get unstuck02:17
clarkbwe requier the package be installed before updating the defaults file but the package isn't installing :)02:18
clarkbthats fine I can remove the RUN_KADMIND entry from the defaults file once merged02:18
*** bgmccollum has joined #openstack-infra02:18
clarkband now I am off for the evening. I'll pick this up tomorrow. ianw maybe you would like to review the puppet-kerberos change above? I'm happy to +A if you just want to review it and not babysit02:19
ianwheh yes just did, was following along :)02:19
clarkbthank you!02:20
*** markvoelker has joined #openstack-infra02:23
*** wolverineav has joined #openstack-infra02:25
openstackgerritIan Wienand proposed openstack-infra/nodepool master: Update dib stats  https://review.openstack.org/63853302:26
fungiwe could just manually purge the package and let puppet set it back up?02:28
*** wolverineav has quit IRC02:29
*** rfolco|rover has quit IRC02:30
*** wolverineav has joined #openstack-infra02:31
*** sdake has quit IRC02:32
*** wolverineav has quit IRC02:33
*** ijw has quit IRC02:35
*** sdake has joined #openstack-infra02:35
*** sdake_ has joined #openstack-infra02:38
*** sdake has quit IRC02:38
openstackgerritIan Wienand proposed openstack-infra/project-config master: Add nodepool-dib dashboard  https://review.openstack.org/63832502:40
*** ccamacho has quit IRC02:48
*** rascasoft has joined #openstack-infra02:56
*** markvoelker has quit IRC02:57
*** yamamoto has quit IRC02:57
*** whoami-rajat has joined #openstack-infra02:57
*** yamamoto has joined #openstack-infra03:02
*** sdake_ has quit IRC03:03
*** hwoarang has quit IRC03:03
*** psachin has joined #openstack-infra03:04
*** rascasoft has quit IRC03:05
*** hwoarang has joined #openstack-infra03:07
*** sdake has joined #openstack-infra03:10
*** apetrich has quit IRC03:16
*** janki has joined #openstack-infra03:20
*** emccormick has quit IRC03:23
*** bhavikdbavishi has quit IRC03:30
*** sdake has quit IRC03:33
*** emccormick has joined #openstack-infra03:42
*** udesale has joined #openstack-infra03:53
*** markvoelker has joined #openstack-infra03:54
*** rascasoft has joined #openstack-infra03:55
*** yamamoto has quit IRC03:56
*** yamamoto has joined #openstack-infra03:59
*** rascasoft has quit IRC04:00
*** yamamoto has quit IRC04:05
*** diablo_rojo has quit IRC04:10
*** slaweq has joined #openstack-infra04:11
mordredpabelanger, mnaser: I +A the sdk change for the error message fix (in gate now) - but yeah - if that file goes away now, sadness will ensue04:13
*** anteaya has quit IRC04:14
*** hwoarang has quit IRC04:15
*** slaweq has quit IRC04:16
*** hwoarang has joined #openstack-infra04:17
*** wolverineav has joined #openstack-infra04:20
*** bhavikdbavishi has joined #openstack-infra04:20
*** rlandy|afk is now known as rlandy04:21
*** wolverineav has quit IRC04:24
*** markvoelker has quit IRC04:27
*** ramishra has joined #openstack-infra04:48
*** lpetrut has joined #openstack-infra04:49
*** rascasoft has joined #openstack-infra05:09
*** slaweq has joined #openstack-infra05:11
*** yamamoto has joined #openstack-infra05:12
openstackgerritIan Wienand proposed openstack-infra/project-config master: Update nodepool dib stats  https://review.openstack.org/63858305:14
*** slaweq has quit IRC05:15
*** yamamoto has quit IRC05:16
*** rascasoft has quit IRC05:18
*** markvoelker has joined #openstack-infra05:24
*** lpetrut has quit IRC05:25
openstackgerritMerged openstack-infra/project-config master: Add nodepool-dib dashboard  https://review.openstack.org/63832505:26
*** gmann has quit IRC05:28
*** kjackal has joined #openstack-infra05:32
*** ociuhandu has joined #openstack-infra05:36
*** yamamoto has joined #openstack-infra05:37
*** ociuhandu has quit IRC05:40
*** hwoarang has quit IRC05:46
*** hwoarang has joined #openstack-infra05:48
*** kjackal has quit IRC05:51
*** kjackal has joined #openstack-infra05:52
*** lpetrut has joined #openstack-infra05:54
*** kjackal has quit IRC05:56
*** markvoelker has quit IRC05:58
*** hwoarang has quit IRC06:27
openstackgerritMerged openstack-infra/system-config master: Add Redirect options to static https vhosts  https://review.openstack.org/63852706:27
*** calebb has quit IRC06:27
*** hwoarang has joined #openstack-infra06:28
*** ykarel|pto has joined #openstack-infra06:38
*** ykarel|pto is now known as ykarel06:40
*** yamamoto has quit IRC06:50
*** yamamoto has joined #openstack-infra06:50
*** kjackal has joined #openstack-infra06:53
*** hwoarang has quit IRC06:54
*** markvoelker has joined #openstack-infra06:55
*** sdake has joined #openstack-infra06:59
*** quiquell|off is now known as quiquell06:59
*** bhavikdbavishi has quit IRC07:01
*** hwoarang has joined #openstack-infra07:01
openstackgerritIan Wienand proposed openstack/diskimage-builder master: [wip] fix opensuse pip-and-virtualenv  https://review.openstack.org/63859407:05
*** kjackal has quit IRC07:08
*** kjackal has joined #openstack-infra07:09
*** slaweq has joined #openstack-infra07:11
openstackgerritTobias Henkel proposed openstack-infra/zuul master: Optionally disable disk_limit_per_job  https://review.openstack.org/63859607:13
*** slaweq has quit IRC07:15
*** stakeda has joined #openstack-infra07:20
openstackgerritChandan Kumar proposed openstack-infra/openstack-zuul-jobs master: Remove periodic-package-stackviz-element job  https://review.openstack.org/63859807:23
*** rascasoft has joined #openstack-infra07:24
openstackgerritMerged openstack-infra/project-config master: Remove tox-py35-on-zuul from zuul-jobs  https://review.openstack.org/63852507:26
*** jtomasek has joined #openstack-infra07:27
*** dpawlik has quit IRC07:28
*** markvoelker has quit IRC07:28
*** e0ne has joined #openstack-infra07:29
chandankumarAJaeger: Hello07:31
chandankumarAJaeger: I need to remove this legacy job https://github.com/openstack/stackviz/blob/master/.zuul.yaml#L10 and move it to proper publish to pypi job07:31
*** sdake has quit IRC07:33
openstackgerritChandan Kumar proposed openstack-infra/openstack-zuul-jobs master: Remove periodic-package-stackviz-element job  https://review.openstack.org/63859807:34
openstackgerritChandan Kumar proposed openstack-infra/project-config master: Add publish to pypi job for stackviz  https://review.openstack.org/63860207:38
chandankumarAJaeger: ^^ I have proposed the above patches, feel free to take a look. thanks :-)07:39
*** dpawlik has joined #openstack-infra07:39
*** e0ne has quit IRC07:43
*** e0ne has joined #openstack-infra07:44
AJaegerchandankumar: I'm confused07:44
*** aojea has joined #openstack-infra07:44
*** e0ne has quit IRC07:44
AJaegerthe legacy job is an npm job that is run daily - you replace it iwth a python publish job publishing to pypi.07:45
AJaegerchandankumar: I commented - if this is correct, the project-config change needs far more explanation...07:46
*** ykarel is now known as ykarel|lunch07:46
*** emccormick has quit IRC07:49
*** e0ne has joined #openstack-infra07:50
chandankumarAJaeger: Currently there are two tarballs getting published related to stackviz.07:51
chandankumarhttp://tarballs.openstack.org/package-stackviz-element/07:51
chandankumarand http://tarballs.openstack.org/stackviz/07:51
chandankumarFirst one is the correct tarball it contains stackviz html file and python binary but07:51
chandankumarsecond one contains only pypi which is not usable.07:51
chandankumarIn RDO side, while package, I have used second one.07:51
chandankumarAJaeger: First one getting generated from periodic-package-stackviz-element job but in the end07:51
chandankumarit is pubished as a python package. it is causing confusion due to two tarballs, so proposed to07:51
chandankumarremove it07:51
chandankumarAJaeger: or may be I am doing something wrong07:52
*** ginopc has joined #openstack-infra07:53
*** yamamoto has quit IRC07:56
*** yamamoto has joined #openstack-infra07:58
*** bhavikdbavishi has joined #openstack-infra07:59
*** kopecmartin|off is now known as kopecmartin08:00
*** yamamoto has quit IRC08:02
*** slaweq has joined #openstack-infra08:08
*** yamamoto has joined #openstack-infra08:09
*** ykarel|lunch is now known as ykarel08:10
*** e0ne has quit IRC08:10
*** tkajinam has quit IRC08:13
*** yamamoto has quit IRC08:13
AJaegerchandankumar: look at the timestamps, the one folder is from 2017!08:15
AJaegerchandankumar: I have no clue about stackviz, I just see that you change publishing and the commit message does not explain to me why the change you do is the right one ;(08:16
*** sdake has joined #openstack-infra08:18
chandankumarAJaeger: thanks, I think I got the solution in rdo packaging side to use source from git and rebuild npm and reuse it in rdo packaging08:18
chandankumari will abandon the reviews08:18
*** yamamoto has joined #openstack-infra08:22
*** markvoelker has joined #openstack-infra08:25
*** apetrich has joined #openstack-infra08:26
*** jpich has joined #openstack-infra08:51
*** jpich has quit IRC08:52
*** jpich has joined #openstack-infra08:52
*** sshnaidm is now known as sshnaidm|off08:56
*** dtantsur|afk is now known as dtantsur08:58
*** markvoelker has quit IRC08:59
*** ykarel is now known as ykarel|lunch08:59
*** jpena|off is now known as jpena09:02
AJaegerchandankumar: if the periodic job is broken, we can remove it as well - we don't do this for any other repo...09:09
*** ociuhandu has joined #openstack-infra09:10
chandankumarAJaeger: is there a way to just run npm build and then run python setup.py sdist together09:10
chandankumarAJaeger: currently I am debugging it09:10
AJaegerchandankumar: I'm not aware of anything - but you can search using codesearch.openstack.org09:11
*** kjackal has quit IRC09:12
*** kjackal has joined #openstack-infra09:17
*** panda|ruck|off is now known as panda|ruck09:24
*** sdake has quit IRC09:26
*** yamamoto has quit IRC09:28
*** jaosorior has quit IRC09:33
*** jaosorior has joined #openstack-infra09:35
*** electrofelix has joined #openstack-infra09:36
openstackgerritJakub Bielecki proposed openstack-infra/nodepool master: doc bugfix for static provider  https://review.openstack.org/63751809:40
*** ykarel|lunch is now known as ykarel09:41
*** stakeda has quit IRC09:47
*** stephenfin is now known as finucannot09:48
*** markvoelker has joined #openstack-infra09:56
*** dtantsur is now known as dtantsur|brb10:01
*** gfidente has joined #openstack-infra10:03
*** takamatsu_ has quit IRC10:04
*** takamatsu has joined #openstack-infra10:05
*** yamamoto has joined #openstack-infra10:08
*** yamamoto has quit IRC10:13
*** e0ne has joined #openstack-infra10:19
*** gfidente has quit IRC10:22
*** takamatsu_ has joined #openstack-infra10:23
*** helenaAM has joined #openstack-infra10:23
*** takamatsu has quit IRC10:24
*** gfidente has joined #openstack-infra10:26
*** markvoelker has quit IRC10:28
*** luizbag has joined #openstack-infra10:29
*** rcernin has quit IRC10:31
*** gfidente has quit IRC10:37
*** takamatsu_ has quit IRC10:48
*** takamatsu has joined #openstack-infra10:49
*** ccamacho has joined #openstack-infra10:54
*** ccamacho has quit IRC10:54
*** takamatsu has quit IRC10:54
*** shardy has joined #openstack-infra10:54
*** takamatsu has joined #openstack-infra10:58
*** udesale has quit IRC10:59
*** shardy has quit IRC11:06
*** sdake has joined #openstack-infra11:11
*** tosky has joined #openstack-infra11:12
aspiersis the 'recheck' zuul directive documented anywhere? I can't find it if so11:18
aspiersand is it possible to just recheck an individual job, not the whole lot?11:18
*** jlibosva has joined #openstack-infra11:23
*** markvoelker has joined #openstack-infra11:25
frickleraspiers: the answer to the second question is "intentionally no". I'll check for docs in a minut11:26
toskyaspiers: documented at least here: https://docs.openstack.org/doc-contrib-guide/quickstart/first-timers.html11:26
toskywell, at least mentioned11:26
aspierstosky: thanks!11:26
aspiersfrickler: interesting, what's the intention with that?11:26
frickleraspiers: avoiding getting patches to pass unstable jobs more easily11:27
openstackgerritColleen Murphy proposed openstack-infra/system-config master: Upgrade all dev servers to puppet 4  https://review.openstack.org/63039111:27
openstackgerritColleen Murphy proposed openstack-infra/system-config master: Upgrade some servers to puppet 4  https://review.openstack.org/63472611:27
openstackgerritColleen Murphy proposed openstack-infra/system-config master: Upgrade git01.openstack.org to puppet 4  https://review.openstack.org/63472711:27
aspiersfrickler: you mean rather than fixing the instability?11:28
fricklertosky: oh, that one still mentions console.html, we should update it11:28
toskyaspiers: aka: recheck every job independently until you have everything passing11:28
frickleraspiers: tosky: exactly11:28
aspiersHrm. It's a good intention but I'm not sure how effective it is11:29
aspiersMaybe it works with some people11:29
frickleraspiers: if you intentionally want to run only a single job against your patch multiple times, you can modify zuul.yaml to only run that job11:29
aspiersfrickler: No I don't11:29
*** bhavikdbavishi has quit IRC11:30
toskyI think I created a story to request the possibility to recheck a single experimental job but without having it voting11:30
*** yamamoto has joined #openstack-infra11:30
openstackgerritHelena proposed openstack-infra/project-config master: Add rsd-virt-for-nova project  https://review.openstack.org/63863311:30
aspiershttps://review.openstack.org/#/c/633855/ got V-1 due to some random instability in nova-next which I don't have the first clue how to fix. So my only choice currently is to waste a huge bunch of CI resources by rechecking 25 jobs just because a single voting one failed. This does not make sense to me.11:31
aspiersEspecially considering on the next recheck, any number of other partially stable jobs in this list could also fail for reasons unrelated to my change11:32
fricklerthat's why folk like mriedem give so high priority to fixing unstable jobs11:33
aspiersIf you have 25 jobs of which 5 randomly fail 10% of the time, the probability of getting V+1 is less than 60%11:34
*** yamamoto has quit IRC11:34
aspiersfrickler: And of course we're all grateful for those heroes. But many contributors don't have enough knowledge to help with the instabilities, so I'm wondering if burning CI resources through unnecessary rechecks is the right approach.11:35
*** auristor has quit IRC11:35
openstackgerritHelena proposed openstack-infra/project-config master: Add rsd-virt-for-nova project  https://review.openstack.org/63863311:36
aspiersAnyway, just fancied providing some food for thought ;-) No need for action right now.11:36
*** kjackal has quit IRC11:40
jlibosvahello, I have some issue I can't tackle with zuul. I think somebody more experienced with zuul than I am can spot the problem quickly. I backported a job from master to rocky but the job doesn't get triggered in rocky, it's just not started by zuul. I tried to define branches and some other stuff but can't make it running. Can anybody help, please?11:42
fricklerjlibosva: do you have a pointer to a review?11:43
jlibosvafrickler: sure: https://review.openstack.org/#/c/63842711:43
jlibosvafrickler: maybe best would be to look at PS1 - the rest of patchsets are rather experiments11:44
jlibosvathe same job is defined in master branch so I'm not sure how to make it running on rocky, if I need to define it in master with branches attribute or I need a backport ...11:45
*** auristor has joined #openstack-infra11:45
*** priteau has joined #openstack-infra11:46
*** auristor has quit IRC11:49
*** gmann has joined #openstack-infra11:49
fricklerjlibosva: hmm, I don't see anything obvious, seems to me like the backport to rocky in PS1 should just work. I'm trying to check zuul logs now11:50
jlibosvafrickler: thanks for looking into it. so is it fine the job names and job templates have the same name as master? i know zuul configuratoin is global11:51
*** auristor has joined #openstack-infra11:51
AJaegerjlibosva: you can enable debugging, see https://zuul-ci.org/docs/zuul/user/config.html#attr-project.%3Cpipeline%3E.debug11:54
fricklerjlibosva: should be the same thing that happens when master is branched e.g. to stable/stein, that also supposed to just work without any additional action11:54
AJaegerAdd that to check pipeline and then once all jobs passed, it will give you debug output - that might help pinpoint the problem11:54
jlibosvaAJaeger: thanks, I will try it out11:54
AJaegertoogle CI output to see it in web ui once check was run11:55
fricklerjlibosva: 2019-02-22 10:28:31,682 DEBUG zuul.layout: No matching parents for job tempest-multinode-full and change <Change 0x7fb78e31e860 openstack/networking-ansible 638427,2>11:57
fricklerjlibosva: so devstack defines tempest-multinode-full only in master it seems11:57
jlibosvafrickler: I thought that comes from tempest and that is branchless11:57
*** markvoelker has quit IRC11:59
fricklerjlibosva: ah, yes. but it has a branch restriction: http://git.openstack.org/cgit/openstack/tempest/tree/.zuul.yaml#n20111:59
*** janki has quit IRC12:01
*** kjackal has joined #openstack-infra12:02
*** sdake has quit IRC12:03
*** AJaeger has quit IRC12:04
*** sdake_ has joined #openstack-infra12:04
jlibosvafrickler: that was the first thing I tried :) I tried to override it in PS2. Also if it doesn't find the parent, then it won't even get to that restriction, will it?12:05
*** rfolco|rover has joined #openstack-infra12:06
fricklerjlibosva: I don't think that you can override that restriction in your job because it is tagged to the parent12:07
fricklerjlibosva: so either ask in #-qa whether that job could be enabled for stable/rocky now, or copy the complete job description from tempest as a workaround. or maybe some zuul specialist like corvus comes up with a more clever solution ;)12:08
jlibosvafrickler: will do, thanks for your help, I've been staring at it way too long :)12:09
*** dpawlik has quit IRC12:16
*** udesale has joined #openstack-infra12:16
*** yamamoto has joined #openstack-infra12:16
*** AJaeger has joined #openstack-infra12:17
*** Tengu has quit IRC12:17
*** Tengu has joined #openstack-infra12:17
*** gfidente has joined #openstack-infra12:20
*** dpawlik has joined #openstack-infra12:23
*** EmilienM is now known as EvilienM12:27
*** priteau has quit IRC12:31
*** dtantsur|brb is now known as dtantsur12:35
*** jpena is now known as jpena|lunch12:35
*** gfidente has quit IRC12:38
*** priteau has joined #openstack-infra12:39
*** ccamacho has joined #openstack-infra12:39
*** gfidente has joined #openstack-infra12:40
*** roman_g has joined #openstack-infra12:41
*** roman_g has quit IRC12:46
*** markvoelker has joined #openstack-infra12:56
*** ociuhandu has quit IRC13:01
*** jcoufal has joined #openstack-infra13:01
*** trown|outtypewww is now known as trown13:03
*** kgiusti has joined #openstack-infra13:08
gmannfrickler: jlibosva i am trying it to make it for stable branches but facing few issue - https://review.openstack.org/#/c/620582/13:08
*** auristor has quit IRC13:09
*** mriedem has joined #openstack-infra13:10
*** panda|ruck is now known as panda|lunch13:10
*** auristor has joined #openstack-infra13:11
*** dave-mccowan has joined #openstack-infra13:18
*** florianf has joined #openstack-infra13:19
*** quiquell is now known as quiquell|off13:22
*** udesale has quit IRC13:25
*** markvoelker has quit IRC13:28
*** jlibosva has quit IRC13:30
*** rlandy has joined #openstack-infra13:34
*** psachin has quit IRC13:35
*** hamzy has quit IRC13:35
openstackgerritHelena proposed openstack-infra/project-config master: Add rsd-virt-for-nova project  https://review.openstack.org/63863313:38
*** hamzy has joined #openstack-infra13:40
*** udesale has joined #openstack-infra13:41
*** dave-mccowan has quit IRC13:43
*** yamamoto has quit IRC13:43
*** yamamoto has joined #openstack-infra13:43
*** dave-mccowan has joined #openstack-infra13:43
*** agopi has quit IRC13:44
*** ccamacho has quit IRC13:50
*** ccamacho has joined #openstack-infra13:51
*** sdake_ has quit IRC13:51
*** agopi has joined #openstack-infra13:54
*** florianf has quit IRC13:57
*** agopi_ has joined #openstack-infra13:58
*** agopi has quit IRC14:00
*** sthussey has joined #openstack-infra14:03
*** dave-mccowan has quit IRC14:05
*** ekultails has joined #openstack-infra14:06
mnaserwould anyone happen to know why mirror01.ca-ymq-1.vexxhost.openstack.org still exists?14:06
mnaserit looks like mirror02 exists and it's what we're pointing to14:06
mnaseri know we brought up mirror02 to use a new flavor and we switched to it14:07
mnasermirror.ca-ymq-1.vexxhost.openstack.org is a CNAME to mirror02.ca-ymq-1.vexxhost.openstack.org14:07
*** jpena|lunch is now known as jpena14:13
*** panda|lunch is now known as panda14:13
*** jamesmcarthur has joined #openstack-infra14:17
*** sdake has joined #openstack-infra14:18
*** panda is now known as panda|rcuk14:21
*** panda|rcuk is now known as panda|ruck14:21
*** dpawlik has quit IRC14:23
*** priteau has quit IRC14:25
*** markvoelker has joined #openstack-infra14:25
*** eharney has joined #openstack-infra14:25
*** jamesmcarthur has quit IRC14:26
fungilikely someone missed cleaning it up. happy to delete it now14:27
*** cmurphy is now known as cmorpheus14:27
openstackgerritHelena proposed openstack-infra/project-config master: Add rsd-virt-for-nova project  https://review.openstack.org/63863314:28
fungii have vague memories there was something weird we were troubleshooting with it, so maybe whatever that was never got brought to a conclusion when we got sidetracked by some other fire14:28
fungi#status log deleted old mirror01.ca-ymq-1.vexxhost.openstack.org server, long since replaced by mirror0214:30
openstackstatusfungi: finished logging14:30
fungii also see an available cinder volume there named nb03.openstack.org/main0114:31
fungibut nb03 doesn't exist there14:31
fungicleaning up that unused volume while i'm at it14:31
fungi#status log deleted unused nb03.openstack.org/main01 cinder volume from vexxhost ca-ymq-114:32
openstackstatusfungi: finished logging14:32
fungimnaser: thanks for pointing that out!14:33
mnaserfungi: thank you for the cleanup14:33
fungiit's the least i can do14:34
*** dave-mccowan has joined #openstack-infra14:38
*** bnemec is now known as beekneemech14:39
*** priteau has joined #openstack-infra14:39
*** jamesmcarthur has joined #openstack-infra14:40
*** sdake has quit IRC14:43
*** sdake has joined #openstack-infra14:46
*** dklyle has quit IRC14:46
*** david-lyle has joined #openstack-infra14:46
mnasermordred, pabelanger: https://vexxhost.com/.well-known/openstack/api is back14:48
mnasersorry about that, we moved where our site is hosted and i guess that was missed (and no one really monitored that)14:48
*** luizbag has quit IRC14:48
mordredmnaser: yay for new features breaking things!14:51
mordredmnaser: we should really communicate the support for that out more wider - and I should probably make a gophercloud patch14:51
mnasermordred: yeah, it's super neat.  we should maybe work with something like keystone to be able to add it there?  that way deployment tools can do this natively14:52
mnaserso openstack:5000/.well-known/openstack/api14:52
mnaseror maybe each service should expose their own stuff.. i dunno14:53
mordredmnaser: yeah ... although openstack:5000 would make the well-known part be weird14:53
mnaseryeah that's a bit redundant14:53
mordredoh -no, each service should definitely not :)14:53
mordredmnaser: BUT - I agree, it would be nice for keystone to support it or something14:53
mordredjust not sure what the or something is :)14:53
mnasersolving problemsss14:54
mordredso much problemssss14:54
mordredmnaser: maybe step one is figuring out how to add support to devstack14:55
*** bhavikdbavishi has joined #openstack-infra14:55
mordredmnaser: one of the tricky bits is that like, with your deploy, it's not actually in a location relative to the openstack install - it's in a location relative to your marketing website14:55
mnasermordred: yeah that's what i was thinking, putting it in keystone is a bit redundant14:56
*** efried is now known as fried_rice14:56
mnaserthats why i thought if each service provided it's own thing like "hi im glance and i use raw only" "hi im nova and i support bfv only"14:56
mordredmnaser: so for smaller deploys, or intranets, or whatnot, serving it from keystone or something wouldn't be a bad idea - but for things with sane dns, it wants to be deployed to some other location14:56
mordredmnaser: oh - yeah - but then we get in to the "support service feature discovery in each service"14:57
mordredmnaser: also - that would require deployers to upgrade - whereas even rackspace could deploy a .well-known/openstack/api json file manually to https://rackspace.com if they chose to14:57
mnasertrue14:58
mordredit's a tricky question isn't it?14:58
mnaserbut maybe that way we can get people to upgrade?!?!14:58
mnaser:P14:58
*** markvoelker has quit IRC14:59
* mordred hands mnaser more coffee14:59
mnaser:)15:00
mnaserit's very obviously friday15:00
*** ccamacho has quit IRC15:01
* mordred hands mnaser more friday15:03
*** ykarel is now known as ykarel|away15:10
*** bhavikdbavishi has quit IRC15:14
*** bhavikdbavishi has joined #openstack-infra15:15
*** rh-jelabarre has joined #openstack-infra15:17
*** udesale has quit IRC15:18
*** sdake has quit IRC15:21
JpMaxMancorvus: just checking to see if you have any updates on the zuul preview for the netlify gerrit integration?15:23
*** sdake has joined #openstack-infra15:23
corvusJpMaxMan: we have all the code written and the deployment tooling is ready to go.  i just got sucked into something that ended up taking longer than i expected, so i haven't actually launched the service yet15:24
corvusJpMaxMan: i'm hoping to do that today15:24
JpMaxMancorvus: ok great - thanks for the update... was just on a call and was being asked :)15:25
fungii'm about to disappear so i can go exchange pleasantries with a tax accountant for the rest of my morning, but can hopefully help out after lunch15:26
*** priteau has quit IRC15:27
mordredcorvus: that turned in to a deeper rabbit hole than we thought didn't it?15:32
corvuswe learned so many learnings.15:32
fungiit was a veritable spelunking expedition15:33
*** david-lyle is now known as dklyle15:33
*** Vadmacs has joined #openstack-infra15:34
openstackgerritIvoline Ngong proposed openstack-infra/storyboard-webclient master: Most recently updated projects should be at top of stories list  https://review.openstack.org/63869015:36
*** dklyle has quit IRC15:43
*** david-lyle has joined #openstack-infra15:43
fungiokay, heading out now but should return in a few hours15:46
*** yamamoto has quit IRC15:51
*** ykarel|away has quit IRC15:55
*** markvoelker has joined #openstack-infra15:56
*** kashyap has joined #openstack-infra15:58
kashyapHey folks, is AppArmour used by default on all the CI guests?15:58
openstackgerritHelena proposed openstack-infra/project-config master: Add rsd-virt-for-nova project  https://review.openstack.org/63863316:02
*** kopecmartin is now known as kopecmartin|off16:06
*** raissa has joined #openstack-infra16:10
*** e0ne has quit IRC16:11
*** ykarel|away has joined #openstack-infra16:14
kashyapclarkb: ^ When you get a moment, do you know the answer to AppArmour question above?16:18
mordredkashyap: whatever is used in the base os of the guests is used - so I'd expect apparmour on ubuntu and selinux on rh. I do not believe we do anything specific in the nodes to alter stuff like that16:18
*** aojea has quit IRC16:18
*** gfidente has quit IRC16:19
kashyapmordred: Yeah, noted.  I'd just like to verify16:19
*** e0ne has joined #openstack-infra16:20
kashyapTrying to debug a somewhat silent failure (https://bugs.launchpad.net/nova/+bug/1817324)16:20
openstackLaunchpad bug 1817324 in OpenStack Compute (nova) "Intermittent "Failed to start libvirt guest: libvirt.libvirtError: monitor socket did not show up: No such file or directory" failures in the gate" [Undecided,Confirmed]16:20
kashyapAnd the potential cause is due to AppArmour denials, and that is difficult to debug that in OpenStack envs...16:21
pabelangermnaser: yay, thanks16:25
*** yamamoto has joined #openstack-infra16:28
*** markvoelker has quit IRC16:28
*** agopi_ is now known as agopi16:29
*** roman_g has joined #openstack-infra16:29
openstackgerritJames E. Blair proposed openstack-infra/project-config master: Remove buildset registry job  https://review.openstack.org/63870616:30
openstackgerritJames E. Blair proposed opendev/base-jobs master: Add docker image jobs  https://review.openstack.org/63870716:30
clarkbkashyap: you could grab the audit log16:31
*** e0ne has quit IRC16:31
clarkbor disable apparmor and check if behavior changes16:32
*** gfidente has joined #openstack-infra16:32
*** rossella_s has quit IRC16:32
*** yamamoto has quit IRC16:32
kashyapclarkb: Where is the audit.log here? -- http://logs.openstack.org/48/631948/9/check/tempest-full-py3/e2ae3fb/controller/logs/16:33
clarkbkashyap: it may not be logged yet. But you could modify the job to grab it. Give me a few to dig up where to do that16:34
kashyapThat'd be great16:35
*** ricolin has joined #openstack-infra16:37
openstackgerritJames E. Blair proposed openstack-infra/zuul-preview master: Build docker image  https://review.openstack.org/63703716:37
*** ricolin has quit IRC16:37
clarkbkashyap: https://git.openstack.org/cgit/openstack-dev/devstack/tree/roles/capture-system-logs/tasks/main.yaml16:37
clarkbI've approved the puppet-kerberos package brokeness workaround and will keep an eye on the two kdcs. Then I think I need to make sure the krb5kdc process is running on kdc04 after puppet runs and if so I think we have a happy xenial kdc. Next step after that is booting a xenial kdc03 as a slave. Then we'll sort out a switch of the master to kdc03 probably sometime early next week16:39
mordredclarkb: ++16:39
*** gyee has joined #openstack-infra16:40
clarkbalso I probably won't boot that as kdc03.opendev.org since the kerberos realm is openstack.org?16:40
clarkbswitching the realm over to opendev seems like a future exercise16:41
kashyapclarkb: /me clicks16:41
openstackgerritJames E. Blair proposed openstack-infra/system-config master: run-base: configure docker mirrors on all hosts in CI  https://review.openstack.org/63820016:42
clarkbkashyap: you should be able to add a file copy of /var/log/audit.log (I think that is the path) to the stage dir there. Then depends on that from your other changes16:43
kashyapclarkb: Ah, so a Do-Not-Merge patch to do that would be a quick way to test?16:44
clarkbkashyap: ya though we may want to merge that and collect that data going forward if it would be useful16:45
kashyapclarkb: My patch is merged in master (it's the version bump of libvirt/QEMU and related compat code clean-up)16:45
kashyapclarkb: So something like:16:47
kashyap    if [ `command -v dpkg` ]; then16:47
kashyap          /var/log/audit.log |& tee {{ stage_dir }}/audit.txt16:47
*** mattw4 has joined #openstack-infra16:47
openstackgerritJames E. Blair proposed openstack-infra/system-config master: Run zuul-preview  https://review.openstack.org/63765416:47
clarkbkashyap: or more generally if [ -f /var/log/audit.log ] ; then sudo cp /var/log/audit.log {{ stage_dir }}/audit.log && chmod +r {{ stage_dir }}/audit.log ; fi ?16:48
kashyapAh16:49
kashyapclarkb: Yeah, that's nicer, too16:49
kashyapclarkb: Shall I send a patch with 'Suggested-by' to you?16:50
kashyapUnless you've already published one :-)16:50
openstackgerritJames E. Blair proposed opendev/base-jobs master: Add docker image jobs  https://review.openstack.org/63870716:50
clarkbkashyap: push it however you like :)16:50
kashyapI'll send one with attribution16:50
*** diablo_rojo has joined #openstack-infra16:52
*** rossella_s has joined #openstack-infra16:53
*** roman_g has quit IRC16:54
*** agopi is now known as agopi|lunch|trav16:54
*** agopi|lunch|trav has quit IRC16:55
*** evrardjp is now known as gatersaregonnaga16:58
*** ginopc has quit IRC16:59
*** gatersaregonnaga is now known as evrardjp17:00
kashyapclarkb: Is there an audit.log at all on Ubuntu?  I was told /var/log/auth.log is it17:01
clarkbkashyap: let me check my local server17:01
kashyapI guess it's /var/log/audit, if the audit package is installed17:01
kashyaphttp://manpages.ubuntu.com/manpages/trusty/man5/auditd.conf.5.html17:01
clarkbmy opensuse + apparmor install has /var/log/audit/audit.log. My ubuntu xenial install does not17:02
clarkbhttps://wiki.ubuntu.com/DebuggingApparmor says it is in the kern.log which we do already log17:03
kashyapOkido, thanks17:04
kashyapAh17:04
clarkbkashyap: it is included ins syslog log file iirc17:04
kashyapkern.log?  Where is it even; /me goes to look in17:04
kashyaphttp://logs.openstack.org/48/631948/9/check/tempest-full-py3/e2ae3fb/controller/logs/17:04
clarkbwe do a journalctl -u kernel -u otherstuff or similar for that file17:04
kashyapAh-ha17:05
clarkbhttps://git.openstack.org/cgit/openstack-dev/devstack/tree/roles/export-devstack-journal/tasks/main.yaml#n29 yup17:05
clarkb-t kernel17:05
kashyapSo it should be it: http://logs.openstack.org/48/631948/9/check/tempest-full-py3/e2ae3fb/controller/logs/syslog.txt.gz17:06
kashyap(In my case)17:06
clarkbyes I think so17:06
*** roman_g has joined #openstack-infra17:06
*** mattw4 has quit IRC17:07
kashyapclarkb: So ... there are no AppArmor entries there.  Talking to Sean Mooney, they said it should be 'dmesg'17:07
*** ykarel_ has joined #openstack-infra17:08
*** dtantsur is now known as dtantsur|afk17:08
kashyapclarkb: Ha!  Found the sucker ... in my problem scenario:17:08
*** mattw4 has joined #openstack-infra17:09
kashyapFeb 21 17:14:13 ubuntu-bionic-inap-mtl01-0002851272 kernel: traps: qemu-system-x86[31240] general protection ip:5600cbedaf78 sp:7f2dba1ebf00 error:0 in qemu-system-x86_64[5600cb81c000+8d2000]17:09
kashyap'the hell is that...17:09
*** ykarel|away has quit IRC17:10
kashyapclarkb: Do you know what that 'trap' is trying to tell us?  Or who actually knows AppArmor?17:10
*** helenaAM has quit IRC17:11
openstackgerritMerged openstack-infra/puppet-kerberos master: Workaround broken ubuntu packaging  https://review.openstack.org/63857017:13
clarkbkashyap: is that the kernel trapping a general protection fault from the cpu?17:16
kashyapIt's actually a good old QEMU crash17:16
kashyapThat's what at least a seasoned QEMU dev said17:16
clarkbya I think that is qemu doing a thing that causes a general protection fault17:17
*** luizbag has joined #openstack-infra17:17
kashyapclarkb: I have an evil question: what is the hack to upload (now that 'rootwrap' in Nova is gone) a debug QEMU binary build to get backtraces?17:17
*** trown is now known as trown|lunch17:18
clarkbkashyap: you'd want a devstack change that replaces qemu after the regular qemu install in devstack (fwiw this was probabl always a better way to do it. THe rootwrap hack was only a thing I think because no one wanted to read devstack bash)17:18
*** rossella_s has quit IRC17:18
clarkbkashyap: in devstack/lib/nova there should be a section of the code that configures libvirt and qemu. I would do your updates just befoer that17:18
clarkband ubuntu probably even has packages for that? you might be able to just change the devstack/files/deb/nova list to be qemu-debug instead of qemu17:19
clarkbkashyap: looks like we'd have to modify the /etc/apt/sources.list to pull from ddebs.ubuntu.com then you should be able to install qemu-dbg ?17:22
* kashyap will pay 100% attention here shortly; talking to QEMU dev17:23
clarkbor do it however you were doing it before but have devstack do it for you17:23
kashyapI don't know how you folks do, splitting b/n multiple channels.  Despite 10 years of IRC, I still feel like an "headless chicken" running around17:23
kashyap:D17:23
*** yamamoto has joined #openstack-infra17:24
kashyapclarkb: Haha ("no one wanted to read DevStack Bash")17:24
kashyapclarkb: Okay, so is there an existing patch that did via DevStack?  (Doesn't have to be QEMU, another binary is fine, too)17:25
clarkbkashyap: I am not aware of one. But if we figure this out it might be a nice idea to add DEBUG_QEMU as a flag and toggle it on and off17:25
kashyapOh, yeah...17:25
kashyapGood idea17:25
*** markvoelker has joined #openstack-infra17:25
corvusclarkb, mordred, fungi: i'm doing a final cleanup pass over the registry jobs.  i'll try to batch my review requests.  the first batch is ready -- the 4 changes with V+1 votes in https://review.openstack.org/#/q/status:open+topic:registry are ready to merge17:26
corvusclarkb, mordred, fungi: (at the end of this, we should have a zuul-preview server running)17:27
clarkbkashyap: https://git.openstack.org/cgit/openstack-dev/devstack/tree/lib/nova#n289 is probable the easiest place to add something for now17:27
* kashyap clicks17:27
*** tosky has quit IRC17:28
*** yamamoto has quit IRC17:29
kashyapclarkb: I certainly would find it really useful; even for libvirt binary17:30
kashyapDEBUG-LIBVIRTD or something like that17:30
kashyaps/-/_17:30
*** luizbag_ has joined #openstack-infra17:32
clarkbcorvus: the reason the docker image promotion pipeline is in opendev base jobs and not zuul jobs is that we need them to be privileged right?17:33
*** luizbag has quit IRC17:34
clarkb(fairly certain that is the case as they rely on that registry secret)17:35
*** jpich has quit IRC17:36
corvusclarkb: right, the pre and post run playbooks run privileged roles on the executor... i think since they execute skopeo they need to be in a trusted playbook.17:37
openstackgerritMerged openstack-infra/project-config master: Remove buildset registry job  https://review.openstack.org/63870617:38
clarkbcorvus: posted a different question on https://review.openstack.org/#/c/638707/217:39
corvusclarkb: replied17:44
clarkbcorvus: but we don't provide docker_credentials to those jobs?17:45
clarkbcorvus: or are you saying you must inherit from that job and supply those creds yourself?17:45
corvusclarkb: the link i left there points to a change which does17:45
corvusclarkb: yep.17:45
clarkbcorvus: if those jobs are inheritable couldn't you inherit from them and echo the credentials for the intermediate (and buildset registries)17:46
kashyapclarkb: Thanks for the (non-null) pointers :-)  Appreciate it17:46
clarkbI guess that would depend on when those credentials are written to disk17:46
clarkbkashyap: no problem17:46
*** takamatsu_ has joined #openstack-infra17:48
clarkbit looks like we may have intermediate registry creds written in pre17:48
clarkb(because we pull from that registry in pre)17:48
*** takamatsu has quit IRC17:48
corvusclarkb: if you echo the buildset registry (which you can do, it's all there in an ansible variable), you're only shooting yourself in the foot, no harm done to the system.  the intermediate registry credential is only available to the pre and post playbooks in that base job.  the creds are never written to disk, only used on a command line which runs on the executor.  that secret isn't available17:49
corvusto any other playbooks.17:49
corvusthe roles in pre and post which use the intermediate registry secret will be (though they are not right now) no_log, so that it won't be exposed via ansible17:49
clarkbI see it is only the buildset registry that we write creds to disk for17:49
corvuscorrect17:50
clarkband ya those creds are not really a problem since it is an ephemeral registry17:50
corvusafter all this lands and is confirmed to work, i'm going to enable no_log on those and change our intermediate registry password (beacuse i have intentionally exposed it during debugging)17:50
corvuscorrect17:50
clarkbok approved the change. Remainign feedback is maybe add a blurb about inheriting from those jobs with your specific credentials for dockerhub publishing (I couldn't find that in the existing rst files)17:52
*** sdake has quit IRC17:54
corvuswell, the rst file describes the input for the job just like all the other jobs; inheritance is always optional.17:55
*** sdake has joined #openstack-infra17:55
clarkbyou won't be able to do the promote job without inhertance right?17:55
clarkb(and the publish job)17:55
*** betherly has joined #openstack-infra17:56
*** ijw has joined #openstack-infra17:57
corvusyou just need to give the job your secret.  you should probably do that via inheritance, but you could just invoke "opendev-promote-docker-image" in a project-pipeline and give it the secret there.17:57
corvusif we set "abstract: true" we could force people to make new jobs and inherit.17:57
clarkbI see17:57
*** roman_g has quit IRC17:58
*** electrofelix has quit IRC17:58
*** markvoelker has quit IRC17:59
*** raissa has quit IRC17:59
*** betherly has quit IRC18:01
clarkbok puppet worked on kdc04 and stopped kadmind and set it to disabled. krb5-kdc is not running but systemctl seems to imply it is enabled. I'm going to reboot that server to see if it comes up as we want with no kadmind and a krb5-kdc running18:01
*** wolverineav has joined #openstack-infra18:01
openstackgerritMerged opendev/base-jobs master: Add docker image jobs  https://review.openstack.org/63870718:02
*** takamatsu_ has quit IRC18:03
clarkbit came up as expected. i think kdc04 is in a happy spot now18:03
*** mriedem is now known as mriedem_lunch18:05
*** takamatsu_ has joined #openstack-infra18:06
openstackgerritJames E. Blair proposed openstack-infra/zuul-jobs master: DNM: test  https://review.openstack.org/63873618:07
*** jpena is now known as jpena|off18:07
*** ekultails has quit IRC18:12
*** ekultails has joined #openstack-infra18:13
*** jmorgan1 has quit IRC18:15
corvusclarkb: i just double checked -- there is something that requires it to be a trusted playbook: http://logs.openstack.org/36/638736/1/check/corvus-test/59c5003/ara-report/result/8f9ec055-fc73-4116-a496-02caf54e1675/18:15
*** dave-mccowan has quit IRC18:15
corvusclarkb: however, that may be the only thing18:15
corvusunfortunately, i think skopeo is hard-coded to look in /etc/docker/certs.d (and a few other /etc/ locations).  so we can't just make a workdir/certs.d18:17
clarkbdarn18:17
*** nicolasbock has joined #openstack-infra18:17
clarkbI am booting kdc03.openstack.org now (as mentioned before I think opendev kerberos servers are currently out of scope of current work as that would imply completely new realm setup)18:17
clarkbonce that is up I'll get a change up to system-config to add it to site.pp and the inventory and all that18:18
corvusclarkb: ++18:18
nicolasbockHi, where is `NODEPOOL_MIRROR_HOST` defined?18:18
nicolasbockI found multiple references to it, but not where it's defined18:18
clarkbnicolasbock: it is set in a legacy compatibility script at /etc/nodepool/mirror_info.sh that you can source. Let me find where we define that18:19
nicolasbockOh cool18:19
clarkbnicolasbock: https://git.openstack.org/cgit/openstack-infra/openstack-zuul-jobs/tree/roles/mirror-info/templates/mirror_info.sh.j2#n1718:20
nicolasbockThe reason I was asking is that we are seeing RPM repository verification errors (http://logs.openstack.org/47/638547/1/gate/openstack-ansible-functional-opensuse-423/7ec16b6/job-output.txt.gz#_2019-02-22_15_04_59_341959) that could be caused by an outdated mirror18:20
corvushttp://git.openstack.org/cgit/opendev/base-jobs/tree/roles/mirror-info/templates/mirror_info.sh.j218:20
clarkbnicolasbock: we've had that problem in the past due to opensuse rsync servers rejecting our connections18:20
nicolasbockThis mirror is mariadb18:21
nicolasbockThey are building openSUSE packages18:21
*** jmorgan1 has joined #openstack-infra18:21
clarkbhttp://mirror.ord.rax.openstack.org:8080/MariaDB/mariadb-10.2.17/yum/opensuse42-amd64 specifically is what is failing and that isn't a mirror but a cache18:21
clarkber caching proxy18:21
*** jmorgan1 has quit IRC18:21
nicolasbockAh18:22
clarkbyou should be able to navigate it and check things directly18:22
*** jmorgan1 has joined #openstack-infra18:22
*** jamesmcarthur has quit IRC18:22
nicolasbockYou mean go through the proxy URI?18:22
nicolasbockI'll try to manually verify that repo18:22
clarkbnicolasbock: ya open that link above18:22
nicolasbockThanks for the pointer!18:22
*** whoami-rajat has quit IRC18:27
*** rlandy is now known as rlandy|brb18:28
*** wolverineav has quit IRC18:28
*** wolverineav has joined #openstack-infra18:31
corvusclarkb: i stand corrected, there is a skopeo option to set the cert dir18:31
openstackgerritClark Boylan proposed openstack-infra/system-config master: Add kdc03.openstack.org  https://review.openstack.org/63874518:32
clarkbcorvus: yay18:32
corvusclarkb: sorry for the churn, but i think we might be able to move this into zuul-jobs after all.  :)18:32
*** wolverineav has quit IRC18:32
*** wolverineav has joined #openstack-infra18:32
corvusi'm going to take a little break and then work up those changes18:32
clarkbinfra-root I think ^ is ready to be approved. I'm going to add dns records now (including the SRV record since kdc04 had no kdc running and afs was happy we should be fine for a bit while we wait for puppet to configure kdc03). I'll also add the host principle (and maybe even figure out how to remove the kdc02 principle)18:34
*** gfidente has quit IRC18:34
clarkbthen once puppet is done on kdc03 I'll copy the stash file making it an eligible master node. And we can plan for a swap of the master nodes next week18:35
*** betherly has joined #openstack-infra18:35
openstackgerritJames E. Blair proposed openstack-infra/zuul-preview master: Build docker image  https://review.openstack.org/63703718:39
*** ramishra has quit IRC18:40
*** trown|lunch is now known as trown18:40
*** betherly has quit IRC18:40
openstackgerritJames E. Blair proposed openstack-infra/system-config master: Run zuul-preview  https://review.openstack.org/63765418:40
clarkbwhile I'm thinking about this kerberos stuff ansible likely would model the interaction with kerberos itself and the need for copying files between nodes. I will follow our docs as is for now but if/when we do an opendev.org realm we ought to be able to use playbooks to add principles, copy the keytab, then copy the stash18:40
*** chandankumar is now known as raukadah18:45
*** agopi has joined #openstack-infra18:45
*** jamesmcarthur has joined #openstack-infra18:51
*** lpetrut has quit IRC18:51
*** rlandy|brb is now known as rlandy18:54
*** markvoelker has joined #openstack-infra18:56
*** bhavikdbavishi has quit IRC18:57
clarkbinfra-root I've added all the dns records for kdc03.o.o including the SRV record. I've also updated the krb5.keytab on all three kdcs and kprop from 01 to 04 continues to work. We are ready for https://review.openstack.org/638745 (thank you corvus for the review)19:00
nicolasbockclarkb: I tested the proxy URI from above and it works without any errors. Could the proxy cache have been out of date when the gate job ran?19:02
clarkbnicolasbock: that could be. Perhaps the metadata and the actual contents were cached differently (so one had updated while the other was not yet expired)19:03
nicolasbockOk, is that something we can do anything about?19:04
nicolasbockWhat's strange though is that this version is not the latest and I wouldn't expect any changes in that repo19:04
clarkbnicolasbock: you could check the headers on the files when requested from the backend to ensure they aren't wildly different expiry times19:04
clarkband if they are wildly different ask the backend to fix it to be more friendly to a cache19:04
clarkb(another option is to not use the cache and talk directly to the backend though that tends to fail for other reasons)19:04
nicolasbockOk, thanks!19:05
clarkbfungi: I'm trying to update my trusty server upgrade todo list. Are storyboard and storyboard-dev as well as openstackid and openstackid-dev all upgraded to xenial now? I'll mark them done if so19:06
openstackgerritMerged openstack-infra/zuul-jobs master: Assure iptables is installed inside multi-node-firewall role  https://review.openstack.org/63841419:06
*** lpetrut has joined #openstack-infra19:07
clarkbcmorpheus: not sure if you saw but I got afs and kerberos servers futureparsered19:08
clarkbfungi: smarcet, if the openstackid servers are done can we move forward with https://review.openstack.org/#/c/616001/8 and its child now?19:09
clarkbI'm happy to help with ^ but want ot make sure that won't interfere with your work19:09
*** yamamoto has joined #openstack-infra19:12
*** jamesmcarthur has quit IRC19:12
*** auristor has quit IRC19:15
*** jamesmcarthur has joined #openstack-infra19:15
*** jamesmcarthur has quit IRC19:16
*** yamamoto has quit IRC19:16
*** e0ne has joined #openstack-infra19:18
*** auristor has joined #openstack-infra19:22
*** mriedem_lunch is now known as mriedem19:25
*** eernst has joined #openstack-infra19:26
*** ykarel_ is now known as ykarel19:28
*** markvoelker has quit IRC19:28
*** eernst has quit IRC19:31
*** sdake has quit IRC19:31
corvusclarkb: i think i'm going to defer the move to zuul-jobs -- we'd need the same number of jobs in opendev/base-jobs, we'd just move some simple playbooks out.  since this is in base-jobs anyway (versus leaf-node jobs in project repos), i'm not convinced it's worth much effort atm.  we can always do it later.19:32
*** ykarel is now known as ykarel|away19:32
clarkbcorvus: wfm19:32
*** eernst has joined #openstack-infra19:34
cloudnullhey all, ive not been following along but we're seeing a bunch of these errors "... finger://ze03.openstack.org/5a2c579048f64e80925ba22aafd6c0b0 : RETRY_LIMIT" - is that something known?19:36
openstackgerritJames E. Blair proposed opendev/base-jobs master: Remove pre playbook from opendev-build-docker-image  https://review.openstack.org/63875819:36
clarkbcloudnull: no, what job was that for?19:36
corvusclarkb: ^ that's an oops and needs to go in before the rest will work19:36
cloudnullclarkb https://review.openstack.org/#/c/638556/19:37
corvusAJaeger: https://review.openstack.org/638758 could use a quick review if you have a sec19:37
*** eernst has quit IRC19:38
corvusclarkb, clarkb: 2019-02-22 16:18:56,647 DEBUG zuul.AnsibleJob: [build: 5a2c579048f64e80925ba22aafd6c0b0] Ansible complete, result RESULT_UNREACHABLE code None19:39
AJaegercorvus: just done - was double checking your comment ;)19:39
clarkbcloudnull: http://paste.openstack.org/show/745765/ looks like the job may have killed the node? or the node went unreachable due to duplication ip problem?19:40
*** eernst has joined #openstack-infra19:40
cloudnullcould be?19:41
cloudnullif you check that job out we've rechecked it a bunch, its always finger://ze*.openstack.org...19:42
clarkbcloudnull: if you watch the log stream while the job is running that may give you more info19:42
cloudnullok.19:42
cloudnullwill have a look19:42
*** dave-mccowan has joined #openstack-infra19:43
*** eernst has quit IRC19:44
*** eernst has joined #openstack-infra19:46
*** ykarel|away has quit IRC19:46
*** eernst has quit IRC19:48
corvusclarkb, cloudnull: i spot checked 5 of those, they ran in ovh-bhs1 x2, rax-iad x1, and rax-ord x219:50
corvusthat diversity of providers makes an infrastructure problem (such as IP reuse) unlikely i think.19:50
clarkb++19:50
corvuscloudnull: also not sure if you noticed, but this job failed, but managed to finish and upload logs.  which means it could be a different problem, or it could be related to the same problem and might help you triangulate it: http://logs.openstack.org/56/638556/1/check/openstack-ansible-functional-distro_install-centos-7/2541dda/19:51
fungiokay, taxes and lunch are behind me... now just have some hundreds of lines of scrollback in here to catch up on19:51
corvusfungi: every line is precious and will be a joy for you to read19:52
clarkbfungi: start here https://review.openstack.org/#/c/638745/1 :)19:52
*** yamamoto has joined #openstack-infra19:52
*** Vadmacs has quit IRC19:52
*** luizbag_ has quit IRC19:53
cmorpheusclarkb: ya i saw :D i rebased the other puppet4 switches19:53
*** yamamoto has quit IRC19:57
*** wolverineav has quit IRC19:59
*** eernst has joined #openstack-infra19:59
*** wolverineav has joined #openstack-infra19:59
*** eernst has quit IRC20:01
fungiclarkb: yes, the storyboard and openstackid servers are all running on xenial now. there may still be a bit of cleanup to do but it should be safe to check them off the list20:03
*** wolverineav has quit IRC20:04
clarkbfungi: great. I had a followup question on whether or not we could merge the futureparser updates for openstackid servers. If you could review those (assuming we are ready) I can approve and babysit20:04
*** wolverineav has joined #openstack-infra20:04
clarkbthe list of trusty servers gets shorter and shorter :) hopefully I'lld have kdc01 gone sometime monday20:05
*** jcoufal has quit IRC20:05
fungiyeah the puppet 4 change should be fine but we'll want to keep an eye on syslog for openstackid.org definitely20:06
*** lpetrut has quit IRC20:08
clarkbya we can do -dev first and make sure it looks happy befor edoing prod20:08
*** e0ne has quit IRC20:08
fungithat should be a proper test at this point now that they're both back in sync20:09
*** wolverineav has quit IRC20:09
openstackgerritMerged opendev/base-jobs master: Remove pre playbook from opendev-build-docker-image  https://review.openstack.org/63875820:11
clarkbya this was one of the reasons for waiting20:12
*** ekultails has quit IRC20:25
*** markvoelker has joined #openstack-infra20:25
fungiwhat's our stance on extending devstack-gate these days? came up in the context of tbarron's https://review.openstack.org/62692120:26
openstackgerritMerged openstack-infra/system-config master: Don't install a blank docker daemon config  https://review.openstack.org/63819920:26
corvusfungi: that should totally be a zuulv3 job that inherits from devstack or tempest and adds a one-line change to the logging variable20:28
tbarronfungi: corvus: so iiuc the corresponding logging captures there for, say ceph or gluster, were pre-zuul-v320:29
corvusi'm not going to -1 something like that, but i don't think i should be +2ing it either.20:29
tbarronfungi: corvus: i do want to convert all our legacy jobs over, we just have reduced cores/participants and haven't gotten to that for this one yet20:29
* fungi notes devstack-gate isn't exactly bursting with new core reviewers either ;)20:30
tbarronfungi: yeah ..., sorry to add work :)20:30
*** ijw has quit IRC20:31
openstackgerritMerged openstack-infra/system-config master: run-base: configure docker mirrors on all hosts in CI  https://review.openstack.org/63820020:31
fungiwell, we did a bunch of extra work to create a new system which would let the individual teams take care of such things themselves so we could stop reviewing changes to unnecessarily centralized tools like devstack-gate20:31
tbarronfungi: corvus: naively, I didn't realize that I was proposing a mod to stuff that is only on the legacy path20:31
tbarronfungi: corvus: so i understand if you guys -2 it20:32
*** ijw has joined #openstack-infra20:32
tbarronfungi: corvus: i'll try to get that job converted over and can do a debug depends-on to this patch in the mean time when I need it20:32
fungiit's understandable. i think we didn't make a lot of noise about devstack-gate being cruft. it's more that the new-style devstack jobs inherit from playbooks and job definitions in the devstack repo where the qa team can take on responsibility for them alongside devstack itself20:33
corvusyeah, i don't mind if the change sits there for your use in debugging in the mean time :)20:33
fungiso devstack-gate is no longer in use (theoretically) by jobs other than those which were semi-automatically converted from the old zuul v2 configuration data20:34
tbarronfungi: corvus: my challenge is that I inherited legacy jobs with post-test-hook weirdness for our plugin and converting them w/o breaking everything is not straightforward20:34
openstackgerritMerged openstack-infra/system-config master: Add kdc03.openstack.org  https://review.openstack.org/63874520:34
tbarronfungi: corvus: i do like the new system much better20:34
corvusi was about to say something about how it shouldn't be hard to port the jobs over, but boy am i glad i didn't.  i would have put my foot squarely in my mouth.20:34
tbarroncorvus: well it might not be once I understand the weird auto-converted-from-jjb-jobs that we have now20:35
corvustbarron: if you have questions about how to accomplish something, i'm happy to help :)20:35
tbarroncorvus: if I had grown up with the jjb ones it might be clearer20:35
tbarroncorvus: thanks20:35
fungii'll be the first to acknowledge there were plenty of funky devstack-gate hooks which grew into random projects over the years which we didn't necessarily provide a clear migration path to deal with20:36
tbarron"so devstack-gate is no longer in use (theoretically) by jobs other than those which were semi-automatically converted from the old zuul v2 configuration data"20:36
clarkbfwiw if you run that service as a devstack screen service it will be auto logged for you20:36
tbarronthat's the part I didn't know, but could admittedly have inferred from looking at the new jobs20:36
clarkbthis is true of legacy and modern devstack jobs20:37
* corvus does some quick math to figure out how old someone would be who *literally* grew up with jjb.20:37
*** ijw has quit IRC20:37
tbarronheh, I would qualify, but we weren't from the same neighborhood20:37
fungii used to sprinkle it on my breakfast cereal as a kid20:38
clarkbcorvus: older than my kids20:38
clarkbmid 2012ish iirc so almost 720:39
tbarronoh it's a lot newer than i realized20:39
corvusclarkb: yeah, but i think you can add another 4-6 years to that and still consider them "having grown up with"20:40
corvusdepending on how precocious a kid is20:40
clarkbrelated. I was cleaning out my closet the other night and found my old jenkins bobblehead20:41
clarkbso that is sitting on my desk again20:41
*** ijw has joined #openstack-infra20:42
*** ekultails has joined #openstack-infra20:43
*** wolverineav has joined #openstack-infra20:45
*** ijw has quit IRC20:47
*** wolverineav has quit IRC20:50
openstackgerritJames E. Blair proposed openstack-infra/system-config master: Run an haproxy load balancer for gitea  https://review.openstack.org/63803320:54
openstackgerritColleen Murphy proposed openstack-infra/system-config master: Turn on the future parser for openstackid-dev  https://review.openstack.org/61600120:55
cmorpheusfungi: ^20:55
clarkbcmorpheus: oh I was just looking at that rebase :)20:55
clarkbcmorpheus: it needs to be dev*.openstack.org or dev[0-9]*.openstack.org20:56
cmorpheusoh20:56
clarkbI would do dev[0-9]*20:56
clarkbthe old non digited server should be deleted soon if not already20:56
*** wolverineav has joined #openstack-infra20:56
openstackgerritColleen Murphy proposed openstack-infra/system-config master: Turn on the future parser for openstackid-dev  https://review.openstack.org/61600120:57
corvusclarkb, fungi: while i'm waiting for some registry stuff, can you review https://review.openstack.org/637334 ? with that i can spin up some gitea servers.20:58
*** ijw has joined #openstack-infra20:58
fungisure!20:58
fungiclarkb: good catch on the glob20:58
*** markvoelker has quit IRC20:59
clarkbfungi: looks like dns for prod openstackid still points at the old server?21:00
fungidoes it? checking21:01
fungino, that's the new server. compare the address records to openstackid01.openstack.org21:02
openstackgerritMerged openstack-infra/nodepool master: doc bugfix for static provider  https://review.openstack.org/63751821:02
clarkboh I see, no cname21:02
fungithey should match (they do for me)21:02
clarkbwas that intentional?21:02
clarkboh right21:02
fungiyes, because dns21:02
clarkbbecause its root21:02
clarkbya21:02
fungiif we ran the org tld we could make a cname for openstackid in it21:03
fungibut alas we don't21:03
clarkbprobably a good thing21:03
fungijust as well, yeah. i have enough on my plate anyway21:03
*** ijw has quit IRC21:03
*** yamamoto has joined #openstack-infra21:04
clarkbfwiw I didn't end up removing the kdc02 principal from the host keytab file. Decided to do that when kdc01 is completely gone and remove both at the same time21:05
corvusfungi: you might be interested in seeing the vulnerability information on this page: https://hub.docker.com/_/debian/?tab=tags21:06
corvusi have no opinions about it.  i've never seen it before.  i just happened to notice it.21:07
openstackgerritMerged openstack-infra/nodepool master: Use a pipeline for dib stats  https://review.openstack.org/63826521:07
fungiwhere's the vulnerability information on that page? i'm likely going blind21:08
*** yamamoto has quit IRC21:09
corvusfungi: oh, wow, apparently that's something i see when i'm logged in21:09
corvusno wonder i haven't seen it before21:09
corvusand what kind of sense does that make?21:09
fungiabout as much sense as the open-source security summit google just ran this week which was by invitation only21:09
corvus(how is vulnerability information user-contextual?)21:09
corvusonly google knows whether you're a white or black hat.  regardless of whether you even know.21:10
*** tosky has joined #openstack-infra21:11
corvusfungi: https://screenshots.firefox.com/ICZBtKxIEIsokoFt/hub.docker.com21:12
fungidefinitely doesn't seem to jive with https://security-tracker.debian.org/tracker/CVE-2018-1795321:13
fungi1.1.3 is... ancient21:14
*** ijw has joined #openstack-infra21:14
corvuswell, that was probably wheezy21:15
corvusprobably would have been good of docker to include the tag name on that page21:15
fungiyeah, and identify images of distros which are long past their eol21:16
corvusbut of course, it's docker.  this is probably indexed by layer sha, and it's already forgot the tag.  i can't believe you didint' know that 6d0abf8ba24e5ff4bfd111e705a6d33a547fca1f0751c22c5205c504a569a is wheezy.21:16
corvusoh, wait, that's unstable.21:16
fungihah21:16
fungii also can't find any record of a linux-pam binary package ever existing in debian itself21:17
fungithough here's the snapshot for the pam 1.1.3-7.1 source package http://snapshot.debian.org/package/pam/1.1.3-7.1/21:18
fungipackage changelog says that was uploaded in 201221:20
*** ijw has quit IRC21:21
fungiif the current debian/sid docker image has a 7-year-old pam build in it, i'll be surprised21:21
fungias we just covered, that's as old as jjb, and older than clarkb's offspring21:23
openstackgerritJames E. Blair proposed openstack-infra/zuul-jobs master: run-buildset-container: fix username/password for proxy registry  https://review.openstack.org/63876721:23
corvusclarkb, fungi, AJaeger: ^ another oops21:23
corvusi have manually verified that fix works, it just didn't make it into my patch yesterday.  happily, the current work is actually exercising that code path and caught it.21:24
*** jcoufal has joined #openstack-infra21:24
clarkbyay yaml I suppose21:24
*** jcoufal has quit IRC21:25
fungithat's a rather amusing result of layering parsers, i suppose21:25
corvusthis is an interesting difference with docker-compose too, where env vars are treated as strings, not dicts.21:25
*** wolverineav has quit IRC21:26
corvus(so an earlier incarnation i had used "REGISTRY_PROXY_USERNAME="  which was fine in docker compose.21:26
*** wolverineav has joined #openstack-infra21:27
*** kjackal has quit IRC21:28
fungimildly reminiscent of quiet nans vs signaling nans in the ieee 754 fp standard. we need a quiet propagating null value which is only rendered to an actual null by the uppermost parser layer21:31
*** betherly has joined #openstack-infra21:32
*** wolverineav has quit IRC21:37
*** betherly has quit IRC21:37
*** yamamoto has joined #openstack-infra21:39
openstackgerritMerged openstack-infra/system-config master: Use host networking for gitea  https://review.openstack.org/63733421:42
openstackgerritEric Harney proposed openstack-infra/elastic-recheck master: Add query for tempest bug 1812036  https://review.openstack.org/63877121:42
openstackbug 1812036 in tempest "Tests creating encrypted volume types can conflict" [Undecided,New] https://launchpad.net/bugs/181203621:43
*** yamamoto has quit IRC21:43
corvusclarkb, fungi: looks like gitea haproxy is ready now too: https://review.openstack.org/63803321:45
clarkbDatabase propagation to kdc03.openstack.org: SUCCEEDED21:46
clarkbbut krb5-kdc doesn't seem to be running so I am going to reboot like I did on 0421:46
* clarkb updates packages first21:47
tonybNow that https://review.openstack.org/#/c/638527/ has merged (thanks!) do I need to wait for that to be applied or are the vhosts regenerated automagically after merge?21:48
*** ijw has joined #openstack-infra21:49
clarkbtonyb: you'll need to wait for a puppet pulse, but that should've been done a long time ago21:50
tonybclarkb: Okay thanks.  Any chance I can request one next week? (when y'all will be around to watch it?)21:52
openstackgerritMerged openstack-infra/zuul-jobs master: run-buildset-container: fix username/password for proxy registry  https://review.openstack.org/63876721:52
*** ijw has quit IRC21:54
*** ijw has joined #openstack-infra21:55
*** dave-mccowan has quit IRC21:55
*** markvoelker has joined #openstack-infra21:56
clarkbtonyb: Oh i mean it is done automagically. Are you seeing that things didn't apply as expected?21:57
tonybclarkb: Oh my bad I misunderstood21:58
tonybclarkb: I haven't checked ...21:59
tonybclarkb: Yup it's working now21:59
*** jtomasek has quit IRC21:59
tonybThanks21:59
clarkbgreat21:59
clarkbthinks work the way I expect them to then :)21:59
tonyb\o/21:59
tonybclarkb: I love it when that happens22:00
*** ijw has quit IRC22:00
diablo_rojotonyb, shouldn't you be enjoying your weekend? ;)22:00
tonybdiablo_rojo: I probably should be22:01
tonybdiablo_rojo: I ducked in to check on some work and thought I'd check for review commenst and saw that $stuff has merged22:01
tonybdiablo_rojo: so then I got all excied and started with the next step22:02
diablo_rojotonyb, I can't judge, I was up till like...23:15 answering questions in #openstack-dev for a potential outreachy intern22:02
diablo_rojoJust teasing :)22:02
tonybdiablo_rojo: All good.22:03
*** rh-jelabarre has quit IRC22:03
diablo_rojoIts good to be excited about what you're working on :)22:03
tonybdiablo_rojo: Yup!  Makes working on weekends fun!22:05
*** ijw has joined #openstack-infra22:05
diablo_rojotonyb, ha ha we are sick individuals22:06
* tonyb nods sagely22:06
tonyb;P22:06
* tonyb is going to go fix bikes for the kids22:07
tonybEnjoy what's left of your Friday and have a great weekend22:08
diablo_rojotonyb, you too :)22:08
openstackgerritMerged openstack-infra/system-config master: Turn on the future parser for openstackid-dev  https://review.openstack.org/61600122:11
funginow that's ^ merged i'm tailing the syslog to see what happens22:12
clarkbI get krb5-kdc running (which requried the stash file from the master fwiw. I'll update docs as soon as I fix the next thing) and then kpropd stops running22:12
clarkbso I'm close on kdc03 but not quite there yet22:12
fungidid we miss putting some of the secret material under configuration management?22:13
openstackgerritJames E. Blair proposed opendev/base-jobs master: Add run playbook to opendev-buildset-registry  https://review.openstack.org/63877622:14
corvusfungi, clarkb: another oops ^22:14
*** rlandy has quit IRC22:15
clarkbfungi: none of the secret material is under config management as far as I can tell22:15
clarkbI see the krb5-kpropd issue. I'll get a patch up for that22:16
corvusmost of the secret material is in the form of one-off "create a principal" commands.22:16
*** diablo_rojo has quit IRC22:18
fungiahh, so just needs to be created anew per kdc22:18
prometheanfiretonyb: thanks22:19
openstackgerritClark Boylan proposed openstack-infra/puppet-kerberos master: Simplify service management  https://review.openstack.org/63877722:20
clarkbfungi: yes. One exception is the ecrypted stash file which is consistent and could be puppeted. But I'll leave that as an exercise for later for now. And instead document that fact22:20
clarkbinfra-root ^ should be the fix for running krb5-kpropd on boot22:20
clarkbI'll write the docs update as soon as I'm done with reviwe of corvus oops fix22:21
clarkbfungi: fwiw I think ansible is relatively well suited to the tasks needed to create and sync the secret data, but we'll need to write that management tooling22:22
clarkbfungi: things like run kadmin.local command on master node. Copy results to all nodes.22:23
corvusclarkb: ++22:23
fungiand i guess 638776 is not going to run speculatively as it's in opendev/base-jobs22:23
corvusfungi: correct, https://review.openstack.org/637654 is broken waiting on that to land22:24
fungithat's what i thought. cool22:24
openstackgerritClark Boylan proposed openstack-infra/system-config master: Document kerberos stash file requirement  https://review.openstack.org/63877922:28
clarkband now documented at least22:28
corvusclarkb, fungi: https://review.openstack.org/637037 is the penultimate change and is ready to land22:29
*** markvoelker has quit IRC22:30
clarkbI've learned so much about kerberos22:30
clarkband debian packaging and debconf22:30
clarkbthe dream of the 90s is a live in portland or is it openstack infra >_>22:30
corvusclarkb: for you, it's both :)22:30
clarkbindeed22:31
corvusthough kerberos (unlike some other stuff from the 90s we run) is decidedly relevant.22:31
fungieven microsoft thinks so22:32
openstackgerritMerged opendev/base-jobs master: Add run playbook to opendev-buildset-registry  https://review.openstack.org/63877622:32
clarkbya I'm honestly quite surprised no one else has run into this packaging bug22:32
clarkbbecause kerberos is definitely still a thing22:32
clarkbwhich reminds me I need to figureo ut filing that bug22:32
clarkbI'm thinking a docker container might be the easiest way to reproduce on debian so that I don't end up being the person that says "please to fix in debian but I only tested on ubuntu"22:33
fungii mean, you could open a bug in lp against the ubuntu package and let the maintainer forward it22:34
clarkboh hrm I think the same person is actually listed in both places so maybe that woks well enough22:34
fungithough if you really want to reproduce and file it in debian i've got plenty of pointers22:35
clarkbno I think I've decided launchpad is easier :P22:35
*** lefteri5 has joined #openstack-infra22:35
clarkbthe maintainer of the package seems to be the same in both places so I think this will be fine22:35
fungiyeah, i can see the allure ;)22:36
*** sdake has joined #openstack-infra22:37
*** potsmaster has joined #openstack-infra22:40
openstackgerritColleen Murphy proposed openstack-infra/system-config master: Turn on the future parser for openstackid  https://review.openstack.org/61600222:44
openstackgerritColleen Murphy proposed openstack-infra/system-config master: Turn on the future parser for refstack  https://review.openstack.org/62815322:44
clarkbhttps://bugs.launchpad.net/ubuntu/+source/krb5/+bug/181737622:44
openstackLaunchpad bug 1817376 in krb5 (Ubuntu) "krb5-admin-server postinst has broken debconf if RUN_KADMIND set to false in /etc/default/krb5-admin-server" [Undecided,New]22:44
*** rkukura_ has joined #openstack-infra22:44
openstackgerritMerged openstack-infra/zuul-preview master: Build docker image  https://review.openstack.org/63703722:45
*** rkukura has quit IRC22:47
*** rkukura_ is now known as rkukura22:47
corvusw00t https://hub.docker.com/r/zuul/zuul-preview exists22:48
clarkbsuccess22:49
clarkbcloudnull: any luck following the console log to see what was happening?22:49
*** yamamoto has joined #openstack-infra22:56
openstackgerritMerged openstack-infra/system-config master: Run an haproxy load balancer for gitea  https://review.openstack.org/63803323:00
*** yamamoto has quit IRC23:00
*** diablo_rojo has joined #openstack-infra23:05
clarkbfungi: I think puppet runs on openstackid dev in the next 5 minutes or so23:10
fungiyeah, last run completed at 22:3123:13
rm_workIs devstack supported in this channel or #openstack-dev?23:13
*** rascasoft has quit IRC23:13
rm_workor another option I didn't consider :P23:13
fungi#openstack0qa23:13
rm_workahh k thx :)23:14
fungier, #openstack-qa23:14
fungithe qa team maintains devstack23:14
fungi(and tempest, and grenade and a host of other test tools)23:14
rm_workcool, thanks23:17
rm_workI appreciate that you folks always know exactly who to talk to or who owns pretty much anything :)23:17
rm_work<323:17
fungiwell, we have a cheat sheet23:17
fungihttps://git.openstack.org/cgit/openstack/governance/tree/reference/projects.yaml23:18
fungiand now, so do you!23:18
corvushrm, launch-node failed to connect to ssh on the servers i just tried to launch in vexxhost-sjc123:21
corvusi used --network="public" and it was given a public ip23:22
clarkbsecurity grops maybe?23:22
corvusclarkb: is that attached to the network?23:23
clarkbfungi: Feb 22 23:22:17 openstackid-dev01 puppet-user[29407]: (/Stage[main]/Openstackid/Package[php7.2-mysqlnd]/ensure) ensure changed 'purged' to 'present' is the only thing I notice, not sure if expected23:23
*** slaweq has quit IRC23:23
clarkbcorvus: no they are attached to the instance and you get the security group called 'default' by default if the cloud has security groups enabled23:23
corvushrm.  since we put a mirror in this region, i assume we would have updated the 'default' group23:23
clarkbif you server show $instance you should get the security groups listed there then can security-group list/show iirc23:24
clarkbcorvus: that is a good point23:24
corvusi'll run it again with --keep --verbose23:24
corvus--verbose was a bad idea23:24
clarkbha23:24
corvusthat's apparently for debugging openstacksdk.23:24
corvusRESP BODY: {"security_groups": [{"rules": [{"from_port": null, "group": {}, "ip_protocol": null, "to_port": null, "parent_group_id": "5a7c1b3d-682e-432b-9d71-fa7dcb8ff89a", "ip_range": {"cidr": "0.0.0.0/0"}, "id": "3839193d-3d6d-4846-9901-13c9788f70f1"}, {"from_port": null, "group": {}, "ip_protocol": null, "to_port": null, "parent_group_id": "5a7c1b3d-682e-432b-9d71-fa7dcb8ff89a", "ip_range":23:25
corvus{"cidr": "::/0"}, "id": "d40bfd91-d467-4af1-a887-ee502d45c5b0"}], "tenant_id": "462ecebbb6e34add9eeeae3936aa6cb9", "id": "5a7c1b3d-682e-432b-9d71-fa7dcb8ff89a", "name": "default", "description": "Default security group"}]}23:25
corvusthough it did show me that.23:25
clarkbthat rules out security group issues I think. The null port values mean any port and the two rules cover ipv4 and ipv623:26
clarkb(and you listed allowed things only no blocking rules)23:26
*** markvoelker has joined #openstack-infra23:27
*** lefteri5 has quit IRC23:27
*** mattw4 has quit IRC23:28
clarkbfungi: that package install request aws added to puppet a while back23:28
clarkbso I'm not sure why it would've been purged before, but we definitely ask to install it23:29
corvusclarkb: do you see anything about sshd in http://paste.openstack.org/show/745777/ ?23:29
*** ekultails has quit IRC23:31
openstackgerritMerged openstack-infra/puppet-kerberos master: Simplify service management  https://review.openstack.org/63877723:31
clarkbcorvus: no i also see little in the way of configuring ens3 or cloud-init23:32
clarkbpossible mnaser's image isn't set up right?23:32
corvusmnaser: i'm trying to start a v2-highcpu-8 instance with image "Ubuntu 18.04 LTS (x86_64) [2018-08-23]" in sjc1 and i can't connect to port 22 and the console log doesn't show anything about sshd.  instance 6c7d1634-6bda-41bb-a3cf-0f3947b04d29 if that helps.23:34
clarkbfungi: https://review.openstack.org/#/c/616002/9 is probably safe to approve? we can merge that modnay morning when smarcet and you are likely to be around a bit more though other than that unexpected but expected package isntall -dev looks fine23:35
clarkbup to you. Though I've been given a hard stop at 5pm local time to cook dinner23:36
clarkb(I half suspect you've found your weekend already)23:36
clarkbcorvus: we could upload our own image (maybe just upstream ubuntu image?) and try that? though chances are that is where mnaser got the image too23:37
*** wolverineav has joined #openstack-infra23:38
*** wolverineav has quit IRC23:42
openstackgerritJames E. Blair proposed openstack-infra/system-config master: WIP Run zuul-preview  https://review.openstack.org/63765423:45
openstackgerritClark Boylan proposed openstack-infra/system-config master: Make kdc03 the master kerberos kdc and admin server  https://review.openstack.org/63879323:51
clarkbI'm going to WIP ^ and keep it WIP until ready to go through the steps described in the commit message23:51
*** mriedem has quit IRC23:52
*** rascasoft has joined #openstack-infra23:58
*** markvoelker has quit IRC23:59
« Thursday, 2019-02-21 Index Saturday, 2019-02-23 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!