| *** dviroel|afk is now known as dviroel | 00:31 | |
| *** dviroel is now known as dviroel|out | 00:35 | |
| ecsantos[m] | clarkb: I managed to build Leap 15.3 using the opensuse element. openSUSE stopped providing root filesystem images starting with 15.2 (I asked for confirmation on #opensuse-factory but still waiting on an answer) | 00:51 |
|---|---|---|
| ecsantos[m] | So I did what the DIB devs did to Red Hat-based distro elements, to download the QCOW2 image and run the extract-image script. It worked fine, tested the built image on VirtualBox | 00:51 |
| clarkb | oh interesting | 00:51 |
| ecsantos[m] | My only concern is that the extract-image script is in the redhat-common element, and redhat-common installs some SELinux packages not available on openSUSE | 00:52 |
| clarkb | the only gotcha with those extractions has been when the distros use very new qcow2 compression or very new filesystem flags. It limits where you can do the extraction, but given prior art I think this is fine | 00:52 |
| clarkb | ya might want to make it more generic? and then have red hat specific otpions for red hat images | 00:52 |
| ecsantos[m] | Yeah maybe put the script in a more generic element and make redhat-common depend on it | 00:53 |
| ecsantos[m] | Not sure if it's the right approach but it's an idea | 00:54 |
| clarkb | depending on how different the two distros are a new separate script might be fine too | 00:54 |
| clarkb | I've got to go help with dinner now, but this sounds like good progress | 00:54 |
| ecsantos[m] | Oh, sorry to ping you at this hour! Didn't know your time zone xD | 00:55 |
| ecsantos[m] | Let's discuss tomorrow | 00:55 |
| clarkb | no problem. My day is just ending. And now need to make food before the kids start complainig :) | 00:55 |
| *** ysandeep|out is now known as ysandeep | 05:16 | |
| *** bhagyashris_ is now known as bhagyashris | 07:52 | |
| whoami-rajat | hi #openstack-infra , review.opendev seems to be down for sometime, any hints regarding it or when it will be resolved? | 07:56 |
| *** jcapitao_off is now known as jcapitao | 08:07 | |
| *** bhagyashris__ is now known as bhagyashris | 08:07 | |
| frickler | whoami-rajat: no issue for me, possibly your local connection? can you ping the host with either v4 or v6? | 08:07 |
| whoami-rajat | frickler, yeah, seems to be issue on my end, working for some of my colleagues but not for some | 08:09 |
| whoami-rajat | will try things on my end thanks frickler | 08:09 |
| *** jpena|off is now known as jpena | 08:38 | |
| *** mnasiadka_ is now known as mnasiadka | 08:43 | |
| *** ysandeep is now known as ysandeep|lunch | 08:46 | |
| *** sshnaidm|afk is now known as sshnaidm | 08:49 | |
| *** bhagyashris_ is now known as bhagyashris | 09:20 | |
| *** ysandeep|lunch is now known as ysandeep | 09:23 | |
| *** ykarel is now known as ykarel|away | 09:47 | |
| *** jcapitao is now known as jcapitao_lunch | 11:03 | |
| *** dviroel|out is now known as dviroel | 11:15 | |
| *** rlandy|out is now known as rlandy|ruck | 11:15 | |
| *** bhagyashris_ is now known as bhagyashris | 11:21 | |
| *** arxcruz is now known as arxcruz|ruck | 11:25 | |
| *** bhagyashris_ is now known as bhagyashris | 11:45 | |
| *** outbrito_ is now known as outbrito | 12:02 | |
| *** dasm|off is now known as dasm | 12:08 | |
| *** jcapitao_lunch is now known as jcapitao | 12:27 | |
| *** anbanerj is now known as frenzyfriday | 12:57 | |
| *** anbanerj is now known as frenzyfriday | 13:08 | |
| *** emilien-oftc is now known as EmilienM | 13:35 | |
| *** frenzyfriday is now known as frenzyfriday|ruck | 14:18 | |
| *** akekane_ is now known as abhishekk | 14:29 | |
| opendevreview | Gustavo Sanchez proposed openstack/project-config master: Add the cinder-nimblestorage charm to Openstack charms https://review.opendev.org/c/openstack/project-config/+/824584 | 14:34 |
| opendevreview | daniel.pawlik proposed openstack/ci-log-processing master: Change container image build workflow https://review.opendev.org/c/openstack/ci-log-processing/+/824589 | 14:56 |
| *** rlandy_ is now known as rlandy|ruck | 15:13 | |
| *** ysandeep is now known as ysandeep|out | 15:54 | |
| opendevreview | Merged openstack/project-config master: Add the cinder-solidfire charm to Openstack charms https://review.opendev.org/c/openstack/project-config/+/823803 | 16:02 |
| *** dviroel is now known as dviroel|lunch | 16:05 | |
| opendevreview | Merged openstack/project-config master: Add the cinder-nimblestorage charm to Openstack charms https://review.opendev.org/c/openstack/project-config/+/824584 | 16:08 |
| *** sshnaidm is now known as sshnaidm|afk | 16:18 | |
| *** dviroel|lunch is now known as dviroel | 17:00 | |
| *** jpena is now known as jpena|off | 17:31 | |
| abishop | clarkb: hi, we chatted earlier about a node being held for ade_lee | 17:53 |
| abishop | it's the cinder-tempest-plugin-lvm-lio-barbican-fips job triggered by https://review.opendev.org/c/openstack/cinder/+/790535 | 17:53 |
| abishop | we'd like to release that node, and hold one again to capture some fresh data | 17:53 |
| fungi | abishop: i can do that, just a moment | 18:09 |
| fungi | abishop: ade_lee: i've deleted the old hold and set a new one for the same parameters | 18:10 |
| fungi | abishop: ade_lee: once your job fails again, let me know what ssh keys you want added to the held node | 18:11 |
| abishop | fungi: thx! | 18:16 |
| fungi | yw | 18:18 |
| *** dviroel is now known as dviroel|out | 21:36 | |
| *** dasm is now known as dasm|off | 21:45 | |
| priteau | Hello. Were there new centos-8-stream images released today on zuul infra by any chance? We're seeing some odd CI failures with "ping: socket: Operation not permitted" | 22:00 |
| clarkb | priteau: the most recent image was built 2 hours and 50 minutes ago. Uploads to clouds would happen after that. Prior to that is a day and 4 hours old | 22:02 |
| clarkb | (we build each image daily) | 22:02 |
| priteau | Do you have a backdoor to spin up one and check if ping is functional without sudo? | 22:03 |
| priteau | I've seen such issues before, when a capability is missing on the ping binary | 22:04 |
| clarkb | priteau: http://nl01.opendev.org/dib-image-list is where you can access this info. You can also download the image from https://nb01.opendev.org/images/ to test | 22:04 |
| clarkb | (note the first url indicates which builder built the image then you use that to construct the second url) | 22:05 |
| priteau | Thanks! | 22:05 |
| clarkb | "when a capability is missing on the ping binary" you mean via selinux? | 22:06 |
| clarkb | I thought capabilities were typically assigned to processes but not directly to their binaries | 22:06 |
| clarkb | selinux applies to contents on disk though | 22:06 |
| priteau | http://unixetc.co.uk/2016/05/30/linux-capabilities-and-ping/ | 22:07 |
| clarkb | TIL capabilites can apply to files | 22:08 |
| clarkb | priteau: https://mirror.bhs1.ovh.opendev.org/centos/8-stream/BaseOS/x86_64/os/Packages/iputils-20180629-8.el8.x86_64.rpm is a new package so your hunch is probably correct. Something updated and broke that | 22:16 |
| clarkb | https://centos.pkgs.org/8-stream/centos-baseos-x86_64/iputils-20180629-8.el8.x86_64.rpm.html changelog says it is making ping unprivileged | 22:17 |
| clarkb | I wonder if this was a problem previously but you didn't notice, and now the latest image build should address it? | 22:17 |
| priteau | Interesting, good find | 22:18 |
| clarkb | or they broke it | 22:18 |
| clarkb | https://git.centos.org/rpms/iputils/c/efa64b5e05ccb2c1332304ad493acc874b61e13a?branch=c8s thats the actual update | 22:19 |
| priteau | https://bugs.launchpad.net/tripleo/+bug/1957792 | 22:19 |
| clarkb | That git diff seems to show exactly what you suspected. They made it unprivileged meaning you need privilege to run it now | 22:21 |
| clarkb | it isn't clear to me why this was done and the commit message isn't helpful | 22:21 |
| priteau | Thanks. I left a message on #centos-devel on Libera. | 22:25 |
| priteau | Apparently there are unprivileged ICMP Echo sockets in Linux, there's a sysctl to manage access | 22:29 |
| priteau | https://opennms.discourse.group/t/how-to-allow-unprivileged-users-to-use-icmp-ping/1573 | 22:29 |
| clarkb | https://bugzilla.redhat.com/show_bug.cgi?id=1840190 ya I was just finding that | 22:29 |
| clarkb | but why are they not toggling that if it is necessary by the package? | 22:29 |
| clarkb | priteau: we don't seem to override any sysctl defaults in our image builds (we do set some things but in a separate file and not the ping group) | 22:32 |
| clarkb | I suspect the bug here is that they aren' | 22:32 |
| clarkb | er they aren't ensuring that the sysctl is configured to allow ping in that manner via the iputils package | 22:32 |
| clarkb | (it should drop a file in /usr/lib/sysctl.d/ or something) | 22:32 |
| priteau | So apparently there was a similar change in Fedora a while ago, but it included setting the sysctl: https://fedoraproject.org/wiki/Changes/EnableSysctlPingGroupRange | 22:41 |
| clarkb | ya. The only other thing I see is https://codesearch.opendev.org/?q=vm.swappiness&i=nope&literal=nope&files=&excludeFiles=&repos= where jobs specifically update sysctls and that seems to edit /etc/sysctl.conf | 22:42 |
| clarkb | but /usr/lib/sysctl.d/50-default.conf lacks the ping group sysctl entries on those hosts | 22:43 |
| priteau | Thanks for the help. We'll see how to work around it tomorrow. | 22:45 |
| clarkb | https://src.fedoraproject.org/rpms/iputils/c/84948e9f8ffacd36875356f920533497a9d20e18?branch=rawhide that is where fedora did the same thing. It isn't clear to me yet where fedora added the sysctl update. I suspect centos 8 stream just neglected to do that too | 22:45 |
| fungi | once again i miss all the fun when i wander off to make dinner | 22:45 |
| fungi | "ping now requires root" is an extra fun regression | 22:45 |
| priteau | Ah, someone on #centos-devel mentioned https://bugzilla.redhat.com/show_bug.cgi?id=2037807 | 22:46 |
| priteau | https://github.com/redhat-plumbers/systemd-rhel8/pull/246/files | 22:46 |
| clarkb | the bugzilla busg don't really link to the changes which is annoying | 22:47 |
| priteau | So hopefully it will be fixed soon-ish | 22:47 |
| fungi | i remember when /bin/ping used to be setuid 0 in order to be able to open a raw socket | 22:47 |
| fungi | we would ping uphill both ways in the snow every day | 22:48 |
| fungi | /sbin/ping is sill setuid on my openbsd systems | 22:48 |
| fungi | -r-sr-xr-x 2 root bin 355952 Sep 30 20:01 /sbin/ping | 22:49 |
| clarkb | https://git.centos.org/rpms/systemd/commits/c8s no pending import there | 22:51 |
| clarkb | so ya they just got the order here backwards I think | 22:51 |
| clarkb | if only they had a zuul :) | 22:51 |
| abishop | fungi, clarkb: looks like my cinder-tempest-plugin-lvm-lio-barbican-fips job triggered by https://review.opendev.org/c/openstack/cinder/+/790535 finished | 22:51 |
| abishop | should I pm one of you my pub key? | 22:52 |
| clarkb | abishop: sure | 22:52 |
| clarkb | abishop: root@198.72.124.185 | 22:54 |
| abishop | awesome, I'm in, many thx! | 22:55 |
| clarkb | https://github.com/redhat-plumbers/systemd-rhel8/releases/tag/v239-55 appears to include the fix for sysctl and ping and that is one digit larger than the package in centos 8 stream. So ya hopefully when they import that it will be good to go (though maybe they should pull the ping update and do the package updates in the right order) | 23:05 |
| *** rlandy|ruck is now known as rlandy|ruck|bbl | 23:45 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!