| jeblair | SpamapS: i think that's the right track, but we'll need to actually land a commit to the upstream repo instead of copying the file in place, because zuul's going to read its configuration from git commits (not just the working tree) | 00:00 |
|---|---|---|
| SpamapS | jeblair: just noticed that. :) | 00:01 |
| SpamapS | jeblair: though this _is_ still more consistent ... consistently wrong. :) | 00:01 |
| jeblair | all that really matters | 00:02 |
| openstackgerrit | James E. Blair proposed openstack-infra/zuul feature/zuulv3: Inherit playbooks as expected https://review.openstack.org/430483 | 00:09 |
| jeblair | mordred: ^ you want to take a look at that and see if it makes sense? | 00:12 |
| mordred | jeblair: yes! | 00:12 |
| jeblair | mordred: while i was writing that, i was thinking about your change, so i left a comment on 428798 with a suggestion about where we could do a playbook plugin check, when you get to that. we don't have roles yet (that's still a WIP on my plate, but i think it will look similar) | 00:13 |
| mordred | jeblair: I have read the commit message and realize that 6:13pm is not the time for me to wrap my head around that - it's open in my rewview screen now so I can read it in the morning :) | 00:14 |
| mordred | and cool! | 00:14 |
| jeblair | mordred: yeah, that's probably for the best. :) | 00:14 |
| SpamapS | hrm | 00:14 |
| SpamapS | having trouble figuring out which repo to land the commit in | 00:14 |
| jeblair | SpamapS: it needs to be the same repo it originally read the config from | 00:15 |
| SpamapS | I have test_root/{upstream,git} | 00:15 |
| SpamapS | I have test_root/{upstream,git}/layout-idle | 00:15 |
| SpamapS | seems like upstream is the right one | 00:16 |
| jeblair | SpamapS: yeah, should be | 00:16 |
| SpamapS | jeblair: ok so I do think it's still cancelling the jobs, despite them still existing as job definitions. | 00:20 |
| SpamapS | reading backwards from the cancel logic now to find out where it's supposed to find those jobs | 00:21 |
| jeblair | SpamapS: earlier, it was canceling them not because they weren't defined, but because they were defined in a different repo, and jobs are only "equal" if they are defined in the same repo. i put some print statements in _reenqueueTenant to find that. | 00:23 |
| jeblair | SpamapS: specifically, the line 'if jobtree and jobtree.job in new_jobs' was evaling to false because of the inequality | 00:24 |
| *** saneax-_-|AFK is now known as saneax | 00:24 | |
| SpamapS | jeblair: The repo is staying the same now, but I'll check to see if that's still failing for some reason. | 00:25 |
| openstackgerrit | Clint 'SpamapS' Byrum proposed openstack-infra/zuul feature/zuulv3: Re-enable test_abandoned_not_timer https://review.openstack.org/427985 | 00:25 |
| SpamapS | jeblair: ^^ with the commit | 00:25 |
| SpamapS | jeblair: jobtree is coming out false for both jobs when we do this line: jobtree = item.job_tree.getJobTreeForJob(build.job) | 00:33 |
| SpamapS | or rather, None | 00:33 |
| SpamapS | which kind of feels like the job is disappearing | 00:34 |
| * SpamapS getting used to the 7s turn around on answers | 00:38 | |
| jeblair | SpamapS: you may want to use addCommitToRepo -- i think you're missing the branch ref update which that handles | 00:47 |
| SpamapS | jeblair: oh didn't even look for handy dandy helpers | 00:52 |
| openstackgerrit | Adam Gandelman proposed openstack-infra/zuul feature/zuulv3: Re-enable test_footer_message https://review.openstack.org/430486 | 00:53 |
| SpamapS | jeblair: looking closer... I'm seing something where JobTree.getJobTreeForJob() always returns None. | 00:54 |
| * SpamapS still waiting for some of this to click into place in brain | 01:02 | |
| SpamapS | jeblair: this seems like "the problem" ? | 01:15 |
| SpamapS | jobtree Jobs are not eq because of (project-bitrot-stable-older != project-bitrot-stable-older) k=nodeset | 01:15 |
| openstackgerrit | James E. Blair proposed openstack-infra/zuul feature/zuulv3: Implement node equality https://review.openstack.org/430491 | 01:15 |
| jeblair | SpamapS: yep! :) | 01:16 |
| jeblair | i just pushed that change up with my debug statements as illustration, i will remove them now | 01:16 |
| SpamapS | jeblair: as in, you're seeing the same thing? | 01:17 |
| openstackgerrit | James E. Blair proposed openstack-infra/zuul feature/zuulv3: Implement node equality https://review.openstack.org/430491 | 01:18 |
| openstackgerrit | James E. Blair proposed openstack-infra/zuul feature/zuulv3: Add __repr__ to jobtree https://review.openstack.org/430493 | 01:18 |
| SpamapS | jeblair: oh that's funny I added almost the same repr to jobtree here. :) | 01:18 |
| jeblair | SpamapS: this is a good sign :) | 01:18 |
| jeblair | SpamapS: feel free to take or ignore from those two changes as you need | 01:19 |
| SpamapS | jeblair: I've cherry picked on top of 430491 to see if that solves my problem | 01:19 |
| jeblair | SpamapS: fyi, job still failed for me, but the word 'cancel' does not appear in the logs | 01:20 |
| jeblair | er, test still failed | 01:20 |
| SpamapS | jeblair: yeah, likely problems further down | 01:21 |
| jeblair | (i did not look further) | 01:21 |
| SpamapS | jeblair: actually it fails further down the test | 01:22 |
| SpamapS | so looks like a weiner | 01:22 |
| jeblair | mmm | 01:23 |
| SpamapS | maybe frankfurter | 01:24 |
| SpamapS | but either way, we made sausage | 01:24 |
| SpamapS | new problem is that in the reconfigure the new gerrit-triggered job is not added. | 01:42 |
| SpamapS | but I think it's time to EOD | 01:43 |
| openstackgerrit | Clint 'SpamapS' Byrum proposed openstack-infra/zuul feature/zuulv3: Re-enable test_abandoned_not_timer https://review.openstack.org/427985 | 01:44 |
| openstackgerrit | Clint 'SpamapS' Byrum proposed openstack-infra/zuul feature/zuulv3: Implement node equality https://review.openstack.org/430491 | 01:44 |
| SpamapS | jeblair: oops, I didn't mean to update 430491, just got it caught in a rebase | 01:44 |
| jeblair | np | 01:44 |
| SpamapS | but 427985 needs to be stacked on it | 01:44 |
| * SpamapS EOD's | 01:45 | |
| jeblair | SpamapS: they're all yours as you see fit :) | 01:45 |
| openstackgerrit | James E. Blair proposed openstack-infra/zuul feature/zuulv3: Inherit playbooks as expected https://review.openstack.org/430483 | 01:47 |
| *** saneax is now known as saneax-_-|AFK | 02:10 | |
| *** saneax-_-|AFK is now known as saneax | 03:58 | |
| openstackgerrit | Clint 'SpamapS' Byrum proposed openstack-infra/zuul feature/zuulv3: Re-enable test_abandoned_not_timer https://review.openstack.org/427985 | 04:29 |
| SpamapS | jeblair: ^^ got it! | 04:29 |
| *** bhavik1 has joined #zuul | 05:10 | |
| *** bhavik1 has quit IRC | 05:16 | |
| openstackgerrit | Clint 'SpamapS' Byrum proposed openstack-infra/zuul feature/zuulv3: Re-enable test_abandoned_not_timer https://review.openstack.org/427985 | 05:26 |
| openstackgerrit | Clint 'SpamapS' Byrum proposed openstack-infra/zuul feature/zuulv3: Re-enable test_idle https://review.openstack.org/430568 | 05:26 |
| openstackgerrit | Clint 'SpamapS' Byrum proposed openstack-infra/zuul feature/zuulv3: Re-enable test_idle https://review.openstack.org/430568 | 05:28 |
| *** Cibo_ has joined #zuul | 05:28 | |
| *** yolanda_ has quit IRC | 06:02 | |
| *** yolanda_ has joined #zuul | 06:02 | |
| *** abregman has joined #zuul | 06:21 | |
| *** abregman has quit IRC | 07:41 | |
| *** abregman has joined #zuul | 07:42 | |
| *** hashar has joined #zuul | 08:37 | |
| *** abregman has quit IRC | 09:01 | |
| *** openstackgerrit has quit IRC | 09:34 | |
| *** openstackgerrit has joined #zuul | 09:38 | |
| openstackgerrit | Merged openstack-infra/zuul feature/zuulv3: Re-enable multiple gerrit connection test https://review.openstack.org/406699 | 09:38 |
| *** pleia2_ has joined #zuul | 09:40 | |
| *** SotK_ has joined #zuul | 09:41 | |
| *** hashar is now known as hasharAway | 09:42 | |
| *** jasondotstar_ has joined #zuul | 09:44 | |
| *** timrc has joined #zuul | 09:44 | |
| *** pleia2 has quit IRC | 09:45 | |
| *** cinerama has quit IRC | 09:45 | |
| *** dmsimard has quit IRC | 09:45 | |
| *** jasondotstar has quit IRC | 09:45 | |
| *** timrc_ has quit IRC | 09:45 | |
| *** SotK has quit IRC | 09:45 | |
| *** dmsimard has joined #zuul | 09:51 | |
| *** abregman has joined #zuul | 10:15 | |
| *** SotK_ is now known as SotK | 10:26 | |
| *** hasharAway has quit IRC | 10:46 | |
| *** hashar has joined #zuul | 10:52 | |
| *** cinerama has joined #zuul | 11:52 | |
| *** hashar has quit IRC | 12:12 | |
| openstackgerrit | Evgeny Antyshev proposed openstack-infra/zuul master: Set GIT_SSH env when updating repository https://review.openstack.org/430872 | 12:32 |
| *** hashar has joined #zuul | 12:33 | |
| *** pleia2_ is now known as pleia2 | 12:57 | |
| *** saneax is now known as saneax-_-|AFK | 13:32 | |
| rcarrillocruz | i +A'd https://review.openstack.org/#/c/403732/ | 13:49 |
| rcarrillocruz | mordred , clarkb , jhesketh | 13:49 |
| rcarrillocruz | will rebase the last change for setup_host off ^ | 13:50 |
| mordred | rcarrillocruz: \o/ | 13:52 |
| *** markmcd has joined #zuul | 14:31 | |
| openstackgerrit | Clint 'SpamapS' Byrum proposed openstack-infra/zuul feature/zuulv3: Re-enable test_timer https://review.openstack.org/430968 | 14:35 |
| *** herlo has quit IRC | 14:44 | |
| *** herlo has joined #zuul | 14:50 | |
| *** herlo has joined #zuul | 14:50 | |
| openstackgerrit | Clint 'SpamapS' Byrum proposed openstack-infra/zuul feature/zuulv3: Re-enable test_timer_smtp https://review.openstack.org/430983 | 15:01 |
| openstackgerrit | David Shrewsbury proposed openstack-infra/nodepool feature/zuulv3: Add new Node ZK model attributes. https://review.openstack.org/430992 | 15:23 |
| openstackgerrit | David Shrewsbury proposed openstack-infra/nodepool feature/zuulv3: Add new Node ZK model attributes. https://review.openstack.org/430992 | 15:25 |
| *** saneax-_-|AFK is now known as saneax | 15:25 | |
| *** saneax is now known as saneax-_-|AFK | 15:40 | |
| openstackgerrit | Merged openstack-infra/nodepool master: Start using dogpile caching in devstack tests https://review.openstack.org/299690 | 15:45 |
| jeblair | mordred: thoughts on 430483? | 15:46 |
| mordred | jeblair: yes. it looks good, and much _less_ complex than I thought yesterday at 6pm | 15:47 |
| mordred | jeblair: I thought it was talking about an onion-like execution path for the playbooks | 15:47 |
| mordred | except as a list | 15:47 |
| mordred | and I was like "what?" | 15:48 |
| mordred | but list-append-then-walk-backwards-and-return-first-found as an impl does exactly what we want I believe | 15:49 |
| jeblair | mordred: cool. yeah, i reckon we only want to run one, but with the implied naming, i wasn't sure how to do that other than this. we could drop the implied names if we don't like it -- but i *think* this will magically do what users want... | 15:50 |
| mordred | I do too | 15:50 |
| jeblair | mordred: i was just thinking we haven't talked about the console streaming thing in a while... since it's semi-related to the work you're doing on the security stuff, do you think there's a chance we could get something done there (just telnet streaming maybe) before ptg? | 15:52 |
| *** Cibo_ has quit IRC | 16:01 | |
| mordred | jeblair: maybe? we should probably re-connect on approach | 16:09 |
| jeblair | mordred: ok | 16:12 |
| *** saneax-_-|AFK is now known as saneax | 16:26 | |
| *** abregman has quit IRC | 16:26 | |
| SpamapS | jeblair: so, I was thinking of adding a 'search this story for text' feature to boartty | 17:01 |
| SpamapS | jeblair: before I do, wanted to make sure you hadn't already done that. :) | 17:01 |
| jeblair | SpamapS: i have not -- gertty has interactive search, so you could lift it from there | 17:31 |
| SpamapS | jeblair: that was exactly my plan. :) | 17:37 |
| SpamapS | jeblair: also, sad news, presentty will not make it into the next Debian stable, because of its dependence on cowsay, which has been removed for license ambiguity around the ascii art. | 17:38 |
| SpamapS | I believe they'll resolve that and restore cowsay, but I haven't had time to remove the dependency :-P | 17:38 |
| SpamapS | (also it really is required.. ;) | 17:38 |
| jeblair | SpamapS: oh noes! | 17:43 |
| jeblair | SpamapS: presentty will run without it of course, so it could be 'recommended' | 17:44 |
| SpamapS | jeblair: yeah, that's the thing I just never got around to fixing. ;) | 17:48 |
| *** jamielennox is now known as jamielennox|away | 18:00 | |
| *** hashar has quit IRC | 18:00 | |
| openstackgerrit | David Shrewsbury proposed openstack-infra/nodepool feature/zuulv3: Add new Node ZK model attributes. https://review.openstack.org/430992 | 18:18 |
| Shrews | forgot private_ipv4 ^^^^ | 18:18 |
| mordred | Shrews: bah. like that's important | 18:19 |
| openstackgerrit | Evgeny Antyshev proposed openstack-infra/zuul master: Fix setting of GIT_SSH for timer merge jobs https://review.openstack.org/430872 | 18:20 |
| *** mattclay has quit IRC | 18:35 | |
| *** auggy has quit IRC | 18:35 | |
| *** patrickeast has quit IRC | 18:37 | |
| *** zaro has quit IRC | 18:37 | |
| *** morgan has quit IRC | 18:45 | |
| *** TheJulia has quit IRC | 18:45 | |
| *** saneax is now known as saneax-_-|AFK | 19:15 | |
| SpamapS | jeblair: ah, so what I want is actually a search _within_ a story.. specifically I want to be able to look for tasks with a given string. | 19:17 |
| SpamapS | jeblair: oh n/m I found interactive search on the list changes in gertty | 19:18 |
| SpamapS | but ctrl-s doesn't seem to do much | 19:19 |
| SpamapS | oh it's subtle | 19:19 |
| pabelanger | jeblair: left a reply on 430329 about split_daemon. We are covered with the updates to 430324 now, but will be more complex to support split_daemon moving forward | 19:27 |
| pabelanger | I've also addressed 430339 in 430324 too | 19:28 |
| *** auggy has joined #zuul | 19:51 | |
| mordred | Shrews: btw - (because I'm guessing it has at least some overlap to your current work) ... https://review.openstack.org/#/c/414759/ and the patch it depends on https://review.openstack.org/#/c/429925/ | 19:52 |
| mordred | (the nodepool patch needs the shade patch to be released before it'll actually work) | 19:52 |
| mordred | but also - should I forward-port that to the v3 branch? | 19:52 |
| *** hashar has joined #zuul | 19:54 | |
| Shrews | looking | 19:54 |
| Shrews | mordred: I don't think that will actually interfere with my current work. Unless you're touching nodepool.py or zk.py, should be fine. | 19:55 |
| mordred | Shrews: okie. cool | 19:55 |
| mordred | also - in case you're wondering - normal.oy is not a real file | 19:56 |
| Shrews | mordred: as for forward-porting, I suspect whenever master gets merged into feature/zuulv3 would take care of it, yeah? | 19:56 |
| Shrews | mordred: i mean, i don't need what you're selling right now, so waiting until merge is fine | 19:58 |
| openstackgerrit | Clint 'SpamapS' Byrum proposed openstack-infra/zuul feature/zuulv3: Re-enable test_timer https://review.openstack.org/430968 | 20:03 |
| openstackgerrit | Clint 'SpamapS' Byrum proposed openstack-infra/zuul feature/zuulv3: Re-enable test_timer_smtp https://review.openstack.org/430983 | 20:03 |
| openstackgerrit | Monty Taylor proposed openstack-infra/zuul feature/zuulv3: Add action plugins to restrict untrusted execution https://review.openstack.org/428798 | 20:05 |
| *** patrickeast has joined #zuul | 20:05 | |
| *** TheJulia has joined #zuul | 20:05 | |
| mordred | Shrews: yah - I agree - if you're not touching that part then waiting for hte merge sounds totes sane | 20:05 |
| mordred | jeblair: ^^ there's a bit more on the restriction stuff - turns out action plugin paths are totally a thing, so we can just have two dirs | 20:06 |
| SpamapS | pabelanger: o/ Just wondering.. according to story#2000773, you have 19 tests in 'review' .... I wonder if we can break those up, because there's only 31 total left to re-enable. | 20:07 |
| SpamapS | (if you subtract the others already in review) | 20:07 |
| jeblair | mordred: cool :) | 20:07 |
| SpamapS | mordred: the more I think about it, btw, the more I think we don't actually need bubblewrap. LXC can sandbox things without it, today. | 20:10 |
| *** mattclay has joined #zuul | 20:10 | |
| jeblair | SpamapS: i think bubblewrap gets us ability to do that without needing root? | 20:11 |
| pabelanger | SpamapS: Hmm, I should only have 3 or so in review | 20:12 |
| pabelanger | SpamapS: let me see if I didn't close some propelry | 20:12 |
| *** morgan has joined #zuul | 20:12 | |
| pabelanger | properly* | 20:12 |
| SpamapS | pabelanger: cool thanks. | 20:12 |
| SpamapS | I didn't look through all of them to see if they're still skipped. | 20:13 |
| SpamapS | jeblair: right, but docker or lxc are just setuid tools to setup containers that exist now and are trusted in instances like this. | 20:13 |
| jeblair | SpamapS: well if that works, sounds good to me... will wait for mordred to chime in in case we've missed something. | 20:14 |
| *** zaro has joined #zuul | 20:14 | |
| SpamapS | docker run ansible-playbook-for-zuul-jobs ansible-playbook foo.yaml | 20:14 |
| jeblair | (i'm still very much in faver of the belts and suspenders approach) | 20:14 |
| jeblair | SpamapS: not so much with the docker | 20:15 |
| SpamapS | jeblair: Yeah, I think both are in order. | 20:15 |
| jeblair | SpamapS: lxc sure. :) | 20:15 |
| SpamapS | docker's just a way to assemble lxc's ;) | 20:15 |
| SpamapS | IMO | 20:15 |
| jeblair | SpamapS: i agree. but it brings along a whole world of complexity i don't want zuul to depend on. | 20:16 |
| SpamapS | Also docker gives you a clear image format. Last time I checked lxc just runs a script to setup a chroot and then uses lxc to chroot and contain inside that. | 20:17 |
| jeblair | yeah, the second thing is the one we want | 20:17 |
| jeblair | because that's what we're already doing | 20:17 |
| jeblair | we *have* a chroot | 20:17 |
| jeblair | we're just not chrooting | 20:17 |
| SpamapS | Oh we do? | 20:17 |
| * SpamapS has not looked closely. | 20:17 | |
| jeblair | SpamapS: sure, the jobdir contains everything the launcher needs to launch a job | 20:18 |
| SpamapS | just need a bindir to put ansible + deps in? | 20:18 |
| jeblair | exactly | 20:18 |
| SpamapS | which can be bind mounted in pretty easily | 20:18 |
| SpamapS | yeah, seems like that's sort of the unfriendly black-ops way to prevent problems, and then the friendly way is to have the limited action plugins. | 20:19 |
| pabelanger | SpamapS: okay, moved a bunch to 'merged' | 20:19 |
| SpamapS | pabelanger: \o/ | 20:19 |
| SpamapS | yeah the story looks much healthier now | 20:20 |
| * SpamapS plots adding a 'hide merged tasks' feature to boartty next ;) | 20:21 | |
| pabelanger | https://review.openstack.org/#/c/429883/ and https://review.openstack.org/#/c/393887/ are looking for +3 | 20:21 |
| openstackgerrit | Merged openstack-infra/zuul feature/zuulv3: Re-enable test_mutex https://review.openstack.org/429122 | 20:26 |
| openstackgerrit | Merged openstack-infra/zuul feature/zuulv3: Re-enable test_json_status https://review.openstack.org/429146 | 20:27 |
| SpamapS | mordred: you know, there's a case here to not do so much of this in zuul.. and create what amounts to "embedded mode" inside ansible. | 20:27 |
| SpamapS | one might even argue it should be the default, and you should have to ask for "yes please allow playbooks to trash the host" | 20:29 |
| SpamapS | s,trash,trash and/or read, | 20:29 |
| mordred | SpamapS: yah - we actually had a chat in the ansible channel about that a couple of days ago | 20:39 |
| mordred | and there is some support from the core folks - bcoca at the very least would like to see it exist | 20:40 |
| mordred | but there is also concern that if they did it in that context and didn't get it solid, that it would be half-baked security so worse than no security | 20:40 |
| mordred | which is to say - _yes_ ... but it'll probably take a while | 20:41 |
| jeblair | that would be lovely :) | 20:54 |
| jeblair | i mean, if it worked. not the half-baked security. | 20:54 |
| mordred | jeblair: half-baked security _could_ be like a nice gooey cobbler though | 20:57 |
| *** jamielennox|away is now known as jamielennox | 21:03 | |
| Shrews | mmm, cobbler | 21:11 |
| *** hashar has quit IRC | 21:14 | |
| SpamapS | mordred: right I think that's a 3.0 type thing | 21:46 |
| SpamapS | and I think if you simply make it an incremental improvement over nothing at all, it's ok to just put up walls. I reject the notion that imperfect security is worse than none at all. As long as it is simple enough it should have value. | 21:47 |
| SpamapS | (what sucks is undertaking a massive effort that leads to extra complexity) | 21:48 |
| SpamapS | but IMO this would be an attempt to clarify what's unsafe. | 21:48 |
| clarkb | SpamapS: I think what you want to avoid is the gerrit drafts situation where the impression si you are secure but its far from perfect and mostly worthless (not that this is the case here, but when considering imperfect being worse than non at all thats what I think of) | 22:12 |
| SpamapS | clarkb: yeah, after 'pwn the datacenter' last year, I think ANsible might want to think about pushing development toward "secure by default", but it may be too steep a hill to climb. | 22:33 |
| *** _ari_ has quit IRC | 23:26 | |
| *** _ari_ has joined #zuul | 23:27 | |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!