Thursday, 2017-08-10

« Wednesday, 2017-08-09 Index Friday, 2017-08-11 »
jeblairpabelanger, mordred: i need to add one more thing to the secrets change (and also fix pep8 -- apparently tests pass though), so i've marked it wip; i'll fix it up tomorrow.00:19
jeblairpabelanger, mordred: i think we need to expose the job.untrusted_secrets attribute so that we can specify that, for example, the tarball upload job must not be run in check (even though it now *could* because it only has trusted secrets).  of course, defining it in openstack-zuul-jobs would achieve the same effect, but that would only be as a side effect -- we shouldn't have to make that choice because of that.00:21
jeblair(otherwise you could write a check job to upload something to tarballs.o.o which is bonkers)00:22
jeblairanyway, that's a very small change, so if you wanted to go ahead and become familiar with the change, that's okay.  just wanted to let you know there's one more revision coming, but it'll be small.00:23
*** xinliang has joined #zuul00:45
*** xinliang has quit IRC00:45
*** xinliang has joined #zuul00:45
*** jkilpatr has quit IRC01:04
tobiashjeblair: feel free to do anything you need with these04:38
*** amoralej|off is now known as amoralej07:23
*** xinliang has quit IRC07:48
*** xinliang has joined #zuul08:00
*** xinliang has quit IRC08:00
*** xinliang has joined #zuul08:00
*** electrofelix has joined #zuul08:19
*** xinliang has quit IRC08:23
*** xinliang has joined #zuul08:39
*** xinliang has quit IRC08:39
*** xinliang has joined #zuul08:39
*** xinliang has quit IRC08:52
*** xinliang has joined #zuul09:06
*** xinliang has quit IRC09:06
*** xinliang has joined #zuul09:06
*** xinliang has quit IRC09:31
*** xinliang has joined #zuul09:44
*** xinliang has quit IRC09:44
*** xinliang has joined #zuul09:44
*** jkilpatr has joined #zuul10:59
*** xinliang has quit IRC12:20
*** xinliang has joined #zuul12:33
*** Diabelko has joined #zuul12:41
Diabelkohello \o12:41
*** amoralej is now known as amoralej|lunch13:31
*** dkranz_ has joined #zuul13:31
mordredjlk: ping whence you awaken14:14
*** jkilpatr has quit IRC14:20
*** jkilpatr has joined #zuul14:20
Diabelkowhen I go to zuul:8001/status/change/1337,1 during the job I can see json with status just fine14:21
Diabelkohowever, when the job finishes I only see [], not the last status14:22
Diabelkois this expected behavior?14:22
Diabelkoand, is there a way to change it?14:22
*** amoralej|lunch is now known as amoralej14:24
mordredDiabelko: it is the expected behavior - the status is only the current live status. however, there is a patch up for review from tristanC to add some endpoints and a dashboard to see historical data14:44
mordredDiabelko: so once that's landed it should be easy to accomplish the thing you're trying to do14:45
openstackgerritMonty Taylor proposed openstack-infra/zuul feature/zuulv3: Add sphinx-autodoc-typehits sphinx extension  https://review.openstack.org/49255714:46
mordredjeblair: ^^ I came across that while looking at something else. we can't land it until there's a release containing a PR I submitted - so I added the PR link to the depends-on14:46
jeblairmordred: cool; should we wip that for now?14:48
Diabelkomordred: okay, because what I'm trying to do is to get that nice fancy table with build status review.openstack.org has14:53
Diabelkoand I'm running into a lot of issues there14:53
Diabelkobut good to know this behavior is expected ;)14:53
jlkmordred: pong, but just barely15:35
clarkbnew gerrit supports CI system comments natively now so in theory building that table becomes much easier once on newer gerrit (doesn't have to rely on magic strings that we just assume to be in place but may still need hacky js? not sure how much of the hacks have to stay around)15:44
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Bind secrets to their playbooks  https://review.openstack.org/49230716:13
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Expose final job attribute  https://review.openstack.org/47938216:14
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Remove 'auth' dict from jobs  https://review.openstack.org/49230916:14
jeblairpabelanger, mordred, clarkb, SpamapS, jlk: ^ those should be ready to go now; i'd appreciate careful review of that since it alters secrets substantially.16:14
jeblairmordred, pabelanger: any job stuff i can help move along while i await reviews?16:15
pabelangersure, will look shortly16:17
mordredjeblair: what's the deal with the --dir removal in the bubblewrap invocation?16:21
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Rename allow-secrets to allow-untrusted-secrets  https://review.openstack.org/49261416:23
jeblairmordred: gimme a sec to come up with a satisfactory answer :)16:25
jeblairmordred: i was looking at the directories we bind in, and that seemed redundant.  it means "create a directory at <foo>"  but right after it, we bind in an already existing directory.16:27
jeblairmordred: strictly speaking, it's probably an unrelated change and maybe could have been its own change.16:27
jeblairi just noticed it since i was reworking the directory structure a bit16:28
mordredjeblair: not a big deal - just curious (it didn't seem related, but then I was wondering if I was missing something)16:29
jeblairi'll leave a note16:30
jeblairalso worth noting there: i am changing the cwd from jobdir/ to jobdir/work/.  i don't think that will affect anything, but worth considering.16:30
jeblair(it seems that ansible uses the playbook directory as cwd anyway; that's why i don't think it will affect much)16:31
pabelanger+2 on the stack, excited to try them out now16:32
mordredjeblair: bikeshed - how about "allow-secrets-in-untrusted" instead? allow-untrusted-secrets reads weird enough that it hurts my head a smidge16:35
mordredor even allow-secrets-in-untrusted-context if we don't mind the super-long name16:35
jeblairmordred: agree with the head hurting.16:36
jeblairmordred: i wonder if we can come up with a phrasing that we can use on the job as well.  because basically, it's: pipeline.allow-untrusted-secrets means it can run jobs with job.untrusted-secrets.  so while the phrase 'untrusted secrets' kinda needs to be unpacked a bit, at least the logic there seems pretty clear.16:39
jeblairmordred: i don't mind the superlongname -- pipeline.allow-secrets-in-untrusted-context alone works for me, but i worry it increases the distance from job.untrusted-secrets.  is that okay?  or should we do job.secrets-in-untrusted-context or something?16:40
jeblair(i was also thinking maybe we could use new terminology, like 'restricted secrets' or something; not sure if that helps or not)16:41
mordredjeblair: yah - maybe that - because it makes both things extra clear on a topic where we likely want to minimize confusion16:41
mordred(job.secrets-in-untrusted-context and pipeline.allow-secrets-in-untrusted-context)16:41
mordredwe need more english words16:42
jeblairor maybe we should just switch to emoji16:42
mordredjeblair: I'm 100% certain that would fix everything16:46
*** bhavik1 has joined #zuul16:51
*** electrofelix has quit IRC17:08
jeblairpabelanger: were you going to remove the openstack dir from 491093?17:10
pabelangerjeblair: yes, I'll push up a change in a few minutes17:13
*** bhavik1 has quit IRC17:20
pabelangerjeblair: updated17:20
jeblairpabelanger, mordred: ^ +217:21
pabelangerjeblair: so, more about openstack-publish-tarball job. Once we approve your secrets change, you would like to move the GPG into a secret, correct?17:21
jeblairpabelanger: i think the gpg key, ssh key, and pypi creds can all be secrets at that point17:24
pabelangerjeblair: okay, so with the openstack-publish-tarball jobs, we don't want that to run in check / gate right? And assume it is okay in experimental / post / release / perodic, etc17:25
pabelangerbasicaly trying to establish with pipelines have secrets17:26
pabelangerwhich*17:26
jeblairpabelanger: with the new changes, all pipelines can use secrets in the trusted context17:26
jeblairpabelanger: so we can use secrets for the log server too17:26
pabelangerokay, that's what I wanted to confirm. I thought that was the case17:27
mordredpabelanger: oh - so - re: yesterday's discussion about the python to extract the name ...17:28
jeblairpabelanger: when the new change lands, we should set untrusted-secrets (or whatever we end up calling it) on publish-openstack-tarball to ensure it doesn't run in check17:28
mordredpabelanger: I think I was wrong and I think you don't  need it17:28
pabelangermordred: okay, cool.17:28
pabelangerjeblair: ack17:28
jeblairpabelanger, mordred: with new secrets stuff, is it possible to have a single job do tarball build, sign, and upload to tarballs and pypi?17:29
dmsimardjeblair, mordred: so that weird issue from #openstack-infra was about one of the zuul launchers being out of date -- do you think this is something we could detect pre-emptively? The launchers register themselves to zuul, right ? Is there some sort of sanity check before jobs are sent to it ?17:30
dmsimardBut, as usual, you can reply that this isn't in an issue with zuul v3 and that's cool too17:30
jeblairdmsimard: i'm going to do that ^ :)17:31
dmsimardsweet17:31
mordreddmsimard: yah - it's fixed in v3 :)17:31
jeblairdmsimard: (and it's happened once in 1.5 years of zuul v2.5)17:31
pabelangerjeblair: I think so, we should attempt it for sure17:31
dmsimardyou know you guys are really hyping zuul v3, it's like everything is fixed, all rainbows and unicorns17:32
dmsimardthere is no bugs, only zuul v317:32
jeblairdmsimard: we try to learn as we go :)  but zuulv3 will introduce entirely new, exciting bugs17:33
jeblairpabelanger: if so, that job will need to be a trusted job as well -- adding inventory hosts and running gpg on the executor are both things that need to happen in config repos17:34
dmsimardjeblair: oh, sure -- it'll solve issues and create new ones17:34
dmsimardjeblair: I was promised that containers would solve all my problems17:34
dmsimardonly they didn't tell me all about the "other" problems17:35
mordredjeblair: re: build/sign/upload - yeah, I think so? because I think we can define the bits that do the signing and uploading in project-config and have them grab secrets - and then it should be safe for those jobs to be used by people in their untrusted repos17:35
jeblairpabelanger: why don't you etherpad a sketch of the job real quick so you, mordred, and i can all get on the same page before starting on that.17:36
pabelangerjeblair: I still think we have some issues running stuff on the executor today inside bubblewrap. That was the main reason we did the 2 stage tarball17:36
mordredoh. right. software install needs17:36
jeblairpabelanger: oh -- is it that we can't run gpg in bwrap?17:36
mordredit's getting the dependency installed in the first place I believe17:37
pabelangerI haven't tested gpg, but we cannot run even run apt-get install foo today17:37
jeblair(when we make these jobs, let's leave comments about this)17:37
jeblairtwine!17:37
mordredit's not bwrap itself that's the problem - it's job content needing software to be installed on the executor17:37
jeblairthat was the thing wasn't it17:37
mordredjeblair: well, twine can be installed locally - pip install --user twine  should be fine17:37
pabelangerright, we needed to pip install twine, and it failed on lsb_release17:37
mordredah. lsb_release17:37
mordredand that was becuase lsb_release wasn't installed or because it was missing files?17:38
pabelangerso, I think we should try and do executor, but that is more yak shaving and not something we want to do for PTG?17:38
pabelangermordred: bwrap didn't bindmount in /etc/lsb-release files17:38
jeblairpabelanger: did you look into what would be needed on both fedora and ubuntu?17:39
jeblairto make pip install work?17:39
mordredgotcha. so we should be able to put those into the optional bind-mount-if-there list, right? I mean, seriously,lsb_release not working is a fundamental break from my pov17:39
pabelangerjeblair: /etc/lsb-release for debuntu and /etc/lsb-release.d;/etc/distro-release (IIRC) for redhat17:39
pabelangermordred: ya, I was looking at zuul.conf changes, we be talked out selfs out of that approach for now17:40
jeblairpabelanger: okay, so now that we know both of those, yes, i think we can jush hard-code those (conditionally) in zuul17:40
mordredyah - I agree with hard-coding those - they're fundamental parts of a working system17:40
*** amoralej is now known as amoralej|off17:41
pabelangerk, I had a patch up, but abandoned. Let me find it again17:41
mordredcool17:41
mordredpabelanger, jeblair: I could be wrong, but I think continuing to yak-shave on this isn't a bad thing - it's one of the new things we want to be able to do well, and if we can have even just one fully-plumbed-through example that would be great, yeah?17:42
pabelangerhttps://review.openstack.org/490200 was debuntu only, will need to update for redhat17:42
jeblairmordred: yes i think this is important.17:43
pabelangermordred: well, I was thinking another way would have been to have bwrap maybe just bindmount a ubuntu-minimal (xenial) DIB tarball and we didn't have to worry about picking the individual files for each specific operating system.  We'd basically say, zuul-executor bubblewrap was always operating system X17:44
jeblairpabelanger: we explicitly decided not to do that because it's exceedingly complicated.  i don't think anything has changed with regard to that.17:45
jeblairthat was something we discussed at length in the bubblewrap spec17:45
pabelangerRight, it became an issue distributing things17:45
jeblairpabelanger, mordred: can we come up with a plan for the tarball and release job(s)?17:48
jeblairso that we know what jobs we're writing, what they are going to do, and what features/bugs are blocking them?17:48
mordredjeblair: ok. I need to put the migration script aside and switch my brain to something else for a bit - so I'm going to context swtich back to job hacking (as much as I love being a relational join optimizer)17:49
mordredjeblair: yes - I think that's a great idea17:49
pabelangersure, I was going to look at moving ssh key into secrets first17:50
jeblairpabelanger, mordred: https://etherpad.openstack.org/p/mVSVwG4xos17:51
jeblairpabelanger: that should all probably be a role, right?17:52
pabelangeryes, if we expect another playbook not to inherit the publish-openstack-playbook. But still needs to live in project-config I think17:53
*** jtanner has joined #zuul17:54
*** openstackgerrit has quit IRC19:03
jeblairpabelanger, mordred: okay, i'll start on my items after lunch19:04
mordredjeblair, pabelanger: ++ - and thanks, that was fun19:05
jeblairw00t!19:05
jeblairi'm glad we did that; it's complicated :)19:05
pabelangerITS HAPPENING19:07
*** openstackgerrit has joined #zuul19:26
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Bind secrets to their playbooks  https://review.openstack.org/49230719:26
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Remove 'auth' dict from jobs  https://review.openstack.org/49230919:28
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Expose final job attribute  https://review.openstack.org/47938219:28
jlkmordred: what did you want?19:52
*** jkilpatr has quit IRC20:11
jeblairmordred, pabelanger: two more bikeshed colors to consider on https://review.openstack.org/49261420:22
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Bindmount /etc/lsb-release into bubblewrap  https://review.openstack.org/49020020:28
*** dkranz_ has quit IRC20:37
clarkbjeblair: lsb-release isn't something set by the container itself if eg you run a fedora container on ubuntu?20:44
jeblairclarkb: bubblewrap is pretty light-weight containment; it doesn't use an image, it just sets up namespaces.  so there's no reason for it to supply a file like that on its own.20:47
clarkboh right its just bind mounting in /bin and /usr/bin and such20:48
jeblairyep, so these amount to some missing files that some already-installed programs expect20:48
pabelangerjeblair: sorry, left a -1 on release files20:49
pabelanger/etc/distro-release should have been "/etc/distrib-release"20:50
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Bindmount /etc/lsb-release into bubblewrap  https://review.openstack.org/49020020:55
jeblairpabelanger: ^ how's that approach?20:55
pabelanger+220:59
*** jkilpatr has joined #zuul21:00
mordredjeblair: lookg great - aslo, your other two paint colors look great too21:04
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Add Zuul to gate pipeline  https://review.openstack.org/49268921:10
openstackgerritJames E. Blair proposed openstack-infra/zuul-jobs master: Add zuul-jobs to gate pipeline  https://review.openstack.org/49269121:14
mordredjeblair: https://review.openstack.org/#/c/492689 seems to be unhappy with syntax and depends-on - but I think that's expected, yeah?21:17
jeblairmordred: right -- project-config doesn't get speculative execution, so that change has to land first21:18
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Bindmount /etc/lsb-release into bubblewrap  https://review.openstack.org/49020022:13
*** openstackgerrit has quit IRC22:18
mordredjeblair: I rechecked https://review.openstack.org/#/c/492689/ and it's now green22:38
jeblairmordred: i saw, and 91 too22:38
jeblairmordred: i just rechecked 9222:38
mordredjeblair: we just simul-rechecked 9222:39
jeblairmordred: i reckon those are ready for +3 now22:40
mordredyup22:40
mordredI have +2'd 89 and 9122:40
mordredjeblair: maybe these are fine for just the two of us to nudge in22:40
jeblairi think so, they seem pretty procedural22:41
jeblairmordred: 92 is green22:42
mordred+A22:45
*** openstackgerrit has joined #zuul22:57
openstackgerritMerged openstack-infra/zuul-jobs master: Add zuul-jobs to gate pipeline  https://review.openstack.org/49269122:57
pabelanger\o/22:58
pabelangerawesomeness22:58
mordredpabelanger: IKR???23:01
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Add Zuul to gate pipeline  https://review.openstack.org/49268923:03
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Bindmount /etc/lsb-release into bubblewrap  https://review.openstack.org/49020023:45
openstackgerritMonty Taylor proposed openstack-infra/zuul-jobs master: Override tox requirments with zuul git repos  https://review.openstack.org/48971923:46
openstackgerritMonty Taylor proposed openstack-infra/zuul-jobs master: Rename tox_command_line in docs to tox_extra_args  https://review.openstack.org/48975823:46
openstackgerritMonty Taylor proposed openstack-infra/zuul-jobs master: WIP job for non-OpenStack sphinx build  https://review.openstack.org/49270923:46
mordredjeblair: ^^ rebased that stack which had gone into conflict with the gate addition23:46
jeblairmordred: cool, i'd love to have that23:47
*** pabelanger has quit IRC23:47
*** pabelanger has joined #zuul23:47
openstackgerritJames E. Blair proposed openstack-infra/zuul-jobs master: Use shell for apt-get update  https://review.openstack.org/49271623:57
openstackgerritJames E. Blair proposed openstack-infra/zuul-jobs master: Use shell for apt-get update  https://review.openstack.org/49271623:59
« Wednesday, 2017-08-09 Index Friday, 2017-08-11 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!