Tuesday, 2023-01-24

« Monday, 2023-01-23 Index Wednesday, 2023-01-25 »
*** jpena|off is now known as jpena08:35
*** cloudnull2 is now known as cloudnull09:09
*** rlandy|out is now known as rlandy11:09
opendevreviewElod Illes proposed openstack/openstack-zuul-jobs master: Remove queens branch from periodic-stable templates  https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/87159411:18
*** dviroel|out is now known as dviroel11:18
opendevreviewElod Illes proposed openstack/openstack-zuul-jobs master: Clean up queens branch filters  https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/87159611:30
opendevreviewElod Illes proposed openstack/openstack-zuul-jobs master: Clean up queens branch filters  https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/87159611:45
opendevreviewMerged openstack/openstack-zuul-jobs master: Remove queens branch from periodic-stable templates  https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/87159412:44
opendevreviewElod Illes proposed openstack/openstack-zuul-jobs master: Clean up queens branch filters  https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/87159612:45
ade_leefungi, hey - what am I doing wrong here ?  https://review.opendev.org/c/openstack/devstack/+/87160613:53
fungiade_lee: i've got a tight deadline for something at the moment and can't look deeper until later today, but something there seems to be resulting in tempest-full-py3 getting marked as only usable in post-review pipelines (presumably because of the use of a secret). i'm pretty sure with the job that's directly using that secret defined in a trusted config project it shouldn't raise that13:58
fungierror, so there's probably still some detail we're missing13:58
*** dasm|off is now known as dasm13:58
ade_leefungi, no worries -  whenever you get a chance- thanks14:02
*** dviroel is now known as dviroel|lunch15:19
clarkbade_lee: the job it complains about is the first devstack job defined in the check queue. THe first overall is a grenade job. But that implies that all devstack jobs that go through that inheritance tree would be affected and it isn't specific to a single job somehow16:20
clarkbwhich means time to work backward on the inheritance tree16:20
clarkbif I had to guess it is because you pass the secret to the parent here: https://opendev.org/openstack/project-config/src/commit/e3fe2736e6859481a3b8faea18a4c86257266798/zuul.d/jobs.yaml#L1276 and the parent is in an untrusted repo here: https://opendev.org/zuul/zuul-jobs/src/commit/096e8bd9c1eaed78619c1f8aaba9f0643b1a01a0/zuul.d/general-jobs.yaml#L4216:22
fungioh, does pass-to-parent need the parent to also be in a trusted config repo?16:25
clarkbI think so because the parent could be depends-on'd and pulled in speculatively?16:27
*** dviroel|lunch is now known as dviroel16:30
ade_leefungi, clarkb so how can we make it work?16:39
clarkbyou could stop doing pass to parent and process the secret in that job (not sure if this works for order of operations though). You can define the parent job in a trusted repo like opentack/project-config.16:40
clarkbif you put the logic in a role in zuul-jobs then have a job in openstack/project-config run the role that should work.16:41
*** dviroel is now known as dviroel|doc_appt16:43
ade_leeclarkb, so the thing that we are trying to do is create a job where the multinode playbook executes after the fips playbook 16:56
ade_leeclarkb, if I understand what you're saying then we need a job in project-config that basically copies over the fips and multinode playbooks16:57
ade_lee(both those playbooks call roles in zuul-jobs16:57
ade_leeclarkb, or I guess I need a multinode-fips role in zuul-jobs that basically copies over all the logic from multinode playbook and fips playbook 16:59
ade_lee(which is called from project-config16:59
fungiprobably the ua registration role can be called from a playbook in project-config as a solution?17:00
fungithat's the only task which needs to access the token17:01
ade_leeyeah I was just coming back to the registration role idea ..17:01
fungithough we might need to do that in the base job itself since we don't control the parentage of the multinode-fips job in zuul/zuul-jobs17:02
clarkbya the way to think about it is jobs are a zuul level construct that inform zuul on what to do. Part of that is handling of secrets safely. Zuul is saying you a violating the rules of that at a job level due to your inheritance. But within a job you can reuse roles and zuul will apply the correct safe version of that role based on what job information it has17:02
fungibasically we need to register with ua in some job's pre-run phase before the pre-run playbook for multinode-fips installs the packages and reboots the nodes17:04
fungiand i think the only way we'll be able to do that is through implicit parentage of multinode-fips, which means the "base" job is the only place we can do that, right?17:05
clarkbfungi: you can just add a new parent17:06
clarkbI wouldn't add that to the base job17:06
fungihow? make a job in the zuul-jobs standard library parent to a job in opendev's deployment?17:06
clarkbthe base job should be as small as possible due to its broad impact17:06
fungiotherwise i think we're left with forking multinode-fips and using a copy in a different repo we control, so that we can insert another parent17:06
clarkbfungi: make a new job in openstack/project-config called fips or whatever that does base <- fips <- multinode-fips <- devstack17:07
clarkbyes you have to fork the job17:07
fungii need to go run an errand real quick, but can continue brainstorming in a few minutes17:07
clarkbreuse at the level of roles not jobs here due to the secrets17:07
clarkbOne thing to cross check against is how the docker image jobs work17:09
ade_leeI suppose we could do something like fips <- openstack-multinode-fips <- devstack - given that the job multinode-fips will really be openstack specific17:09
ade_lee(even though its in zuul-jobs)17:09
clarkblooking at the docker image jobs (they also use pass to parent) we seem to define the job in base-jobs and not zuul-jobs. I believe for this very reason17:10
clarkbbut we reuse the roles in zuul-jobs17:10
ade_leehuh , I'm learning more and more - I didn't even know there was a base-jobs till now ..17:11
ade_leeclarkb, I'm not I follow which job you;re looking at -- which docker job in base-jobs uses pass-to-parent?  Is base-jobs lower than zuul-jobs in the inheritance hierarchy? 17:20
*** jpena is now known as jpena|off17:21
clarkbade_lee: in opendev/system-config our docker image builds pass to parent our dockerhub secret and the parent is in opendev/base-jobs. There is no zuul-jobs jobs in the hierarchy we reuse roles defined in zuul-jobs though17:23
*** dviroel|doc_appt is now known as dviroel19:13
opendevreviewMerged openstack/project-config master: nodepool: empty linaro-us cloud  https://review.opendev.org/c/openstack/project-config/+/87122019:44
opendevreviewMerged openstack/project-config master: nodepool: drop linaro-us  https://review.opendev.org/c/openstack/project-config/+/87119622:06
opendevreviewIan Wienand proposed openstack/project-config master: nodepool: fix new linaro provider name in nb04  https://review.opendev.org/c/openstack/project-config/+/87166622:07
clarkbhttps://groups.google.com/g/repo-discuss/c/056Q3NEF5Jc/m/1ys5dgGsAQAJ and https://groups.google.com/g/repo-discuss/c/tZwIp3Hx-wA/m/rJgmT_OsAQAJ sent to clarify those two different Gerrit items22:10
*** dviroel is now known as dviroel|out22:44
*** rlandy is now known as rlandy|out23:01
*** dasm is now known as dasm|off23:09
opendevreviewMerged openstack/project-config master: nodepool: fix new linaro provider name in nb04  https://review.opendev.org/c/openstack/project-config/+/87166623:38
« Monday, 2023-01-23 Index Wednesday, 2023-01-25 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!