Tuesday, 2017-08-15

« Monday, 2017-08-14 Index Wednesday, 2017-08-16 »
*** SpamapS has joined #zuul00:00
*** ajafo has joined #zuul00:00
*** rcarrillocruz has joined #zuul00:00
*** jesusaur has joined #zuul00:00
*** pabelanger has joined #zuul00:00
*** cinerama` has joined #zuul00:00
*** yolanda has joined #zuul00:00
*** openstackgerrit has joined #zuul00:00
*** dmsimard|off has joined #zuul00:00
*** kmalloc has joined #zuul00:00
*** mordred has joined #zuul00:00
*** jkilpatr has joined #zuul00:00
*** lennyb has joined #zuul00:00
*** dkranz has joined #zuul00:00
*** amoralej|off has joined #zuul00:00
*** tflink has joined #zuul00:00
*** TheJulia has joined #zuul00:00
*** maxamillion has joined #zuul00:00
*** jtanner has joined #zuul00:00
*** Diabelko has joined #zuul00:00
*** ianw has joined #zuul00:00
*** rbergeron has joined #zuul00:00
*** fbouliane has joined #zuul00:00
*** mnaser has joined #zuul00:00
*** olaph has joined #zuul00:00
*** robled has joined #zuul00:00
*** bstinson has joined #zuul00:00
*** adam_g has joined #zuul00:00
*** robcresswell has joined #zuul00:00
*** pbrobinson has joined #zuul00:00
*** clarkb has joined #zuul00:00
*** kklimonda has joined #zuul00:00
*** jamielennox has joined #zuul00:00
*** tristanC has joined #zuul00:00
*** Shrews has joined #zuul00:00
*** toabctl has joined #zuul00:00
*** mattclay has joined #zuul00:00
*** patrickeast has joined #zuul00:00
*** SotK has joined #zuul00:00
*** zaro has joined #zuul00:00
*** jeblair has joined #zuul00:00
*** rfolco has joined #zuul00:00
*** eventingmonkey has joined #zuul00:00
*** jlk has joined #zuul00:00
*** mmedvede has joined #zuul00:00
*** mgagne has joined #zuul00:00
*** EmilienM has joined #zuul00:00
*** _ari_ has joined #zuul00:00
*** gothicmindfood has joined #zuul00:00
*** zigo has joined #zuul00:00
*** fungi has joined #zuul00:00
*** leifmadsen has joined #zuul00:00
*** ChanServ has joined #zuul00:00
*** tepper.freenode.net sets mode: +o ChanServ00:00
*** kmalloc is now known as Guest1121300:03
*** smyers has joined #zuul00:04
*** dkranz has quit IRC00:28
*** isaacb has joined #zuul03:51
*** jamielennox has quit IRC04:07
*** jamielennox has joined #zuul04:17
*** isaacb has quit IRC05:37
*** leifmadsen has quit IRC05:57
*** leifmadsen has joined #zuul05:58
openstackgerritClint 'SpamapS' Byrum proposed openstack-infra/zuul feature/zuulv3: Re-enable test_delayed_repo_init  https://review.openstack.org/49365906:38
*** isaacb has joined #zuul07:26
*** isaacb has quit IRC07:39
*** isaacb has joined #zuul07:51
*** isaacb has quit IRC08:13
*** isaacb has joined #zuul08:22
*** electrofelix has joined #zuul08:28
*** jkilpatr has quit IRC10:34
*** jkilpatr has joined #zuul10:52
*** clarkb has quit IRC11:52
*** clarkb has joined #zuul12:19
*** dkranz has joined #zuul12:27
*** persia has joined #zuul13:17
openstackgerritDavid Shrewsbury proposed openstack-infra/zuul feature/zuulv3: Add some examples to user guide Concepts section  https://review.openstack.org/49387313:30
Shrewsjeblair: ^^^ I'm fairly pleased with the clarity that change adds. It seemed to make more sense in the Concepts doc, rather than the config doc.13:31
*** dkranz has quit IRC14:06
*** dkranz has joined #zuul15:16
*** Guest11213 is now known as kmalloc15:19
*** kmalloc has joined #zuul15:19
*** isaacb has quit IRC15:35
jeblairmordred, pabelanger, clarkb, SpamapS: who's around for devstack etherpadding?16:00
mordredjeblair: morning! tying up one loose end real quick - be there in just a sec16:01
pabelangerhere too16:02
jeblairhttps://etherpad.openstack.org/p/AIFz4wRKQm16:03
clarkbo/16:03
clarkbwith toast and tea16:03
jeblairclarkb: to share?16:04
clarkbI don't think tcp works that way16:04
jeblairi added our previous roles refactoring list to the etherpad16:06
jeblairpabelanger: what was involved with 'ssh keys'?16:07
pabelangerjeblair: writing ansile role to distrubute them to nodes16:08
pabelangerbut with 1 time keys, I think that has changed16:08
jeblairpabelanger: yeah, we now have a public key on every node (as the zuul user at least -- do we use a different user in devstack-gate?)  so i think the only thing missing there would be to copy the private key as well.  we can do that.16:09
clarkbnova live migration requires root be able to ssh everwhere too16:09
clarkbwe add that in d-g for multinode jobs16:10
clarkbshould be easy enough to set a username on the playbook and do it for zuul/jenkins and root though16:10
jeblairya16:10
jeblairas i think about the ssh keys thing -- what's the applicability of the two "need to..." items that i put in there?  should installing the private key to ~zuul on all nodes be part of the base job add-build-sshkey role?  what about installing keys as root?  should that be a new role?16:16
jeblairclarkb, mordred, pabelanger: ping16:18
clarkbjeblair: I think the base job should handle base connectivity, thats a nice way to make multinode jobs easier for people writing them16:19
clarkbjeblair: but then we probably want to expose that same role for people that need to set up other users like root for libvirt live migrations16:19
clarkband that can be added to specific jobs that need it16:19
clarkbjust thinking that not every job is going to be native ansible on day one so preserving old multinode connectivity method of ssh between nodes will be useful16:19
pabelangerwe could try using add-build-sshkey first, sure16:20
jeblairmordred, clarkb, pabelanger: are we all here in irc?16:21
clarkbI am16:21
pabelangerI am16:21
mordredclarkb, jeblair: I kinda think it would be nice if add-build-sshkey in the base job would install keys everywhere so that all nodes can talk to each other16:21
jeblairsorry, a couple of quick meta questions:16:21
jeblair1 do we want to continue to chat in irc, or only on etherpad?16:22
clarkbI think we should record decisions/details on the etherpad because it keeps that important info next to the todo list16:22
clarkbbut irc may be better for having conversation and reaching those decisions or finding out those details16:22
jeblair2 do we want to add a little bit of structure to this?  a minute ago there were chats going on in areas of the etherpad too far apart to keep on my screen16:22
jeblairless structure and chat in etherpad worked pretty well last time, but the problem space wasn't as big16:23
mordredI can now do both IRC and etherpad- so whichever16:23
jeblairokay, mordred started some big picture items, let's focus on those for a minute, then get back to the minutia of roles16:23
jeblairpabelanger: what's the network sanity check role from our original list?16:41
jeblairis that covered by what we do in the base job, or is that related to network overlay?16:41
clarkbjeblair: it pings the mirror and does a dns lookup iirc16:41
pabelangerjeblair: we just ping our mirrors16:41
pabelangerya16:42
jeblairwe're doing that in base now iirc?16:42
clarkbjeblair: its behaviopr that devstack-gate had for a long time that got ansiblified basically to shrot circuit if networking si really broken16:42
mordredwe are doing that in base now16:42
pabelangeryes, in base16:42
jeblairokay, i'll strike it16:42
jeblaircan we chat about the localrc stuff for a bit?16:43
jeblairthis is one of those things where we have lots of jobs which add little bits of localrc config16:43
mordredyup. I believe clarkb and I were talking about different poritions of this16:43
jeblairit would be good if we can have an interface where folks can just inherit from devstack and add their bit of localrc16:44
pabelangerwill defer to mordred and clarkb for localrc. need to afk for a moment16:44
jeblairall in zuul.yaml, i think16:44
clarkbthe way it works today is you describe what you want in the localrc in your JJB job then devstack-gate comes along and uses devstack-utils to merge that into the localrc that will be used16:45
jeblairlet's find a good example of that real quick16:45
SpamapSjeblair: doohhhhh I did the timezone math wrong and had devstack etherpadding for 15 minutes from now16:45
SpamapSapologies!16:45
jeblairSpamapS: we have a ways to go yet :)16:45
SpamapSGood good...16:46
SpamapS(sad thing is I actually have UTC on my google calendar and just forgot to look at it)16:46
clarkbjeblair: https://git.openstack.org/cgit/openstack-infra/project-config/tree/jenkins/jobs/neutron.yaml#n124 thats one I found thinking neutron would have an example16:46
* SpamapS joins the fray16:46
clarkbI think its a reasonable example since its more than one var being modified16:46
jeblairclarkb: cool16:46
jeblairso we have a neat thing in zuul --16:47
jeblairnormally when a job inherits from another job, attributes are overridden.  but the 'vars' attribute (which is job variables that are exported to ansible) is a little special16:47
jeblairit attempts to merge child and parent16:48
jeblairvars is a dictionary.  if there are any key collisions, the child wins, but any keys defined by the parent not defined by the child stick around16:48
jeblairthat behavior is recursive16:48
jeblairso if a value in vars is a dictionary, it too is merged16:49
jeblairi think we might be able to do something with that; lemme try in etherpad16:49
mordredyah - I think that behavior will be useful - if we make the equiv of the local_conf jjb macro a job input var ...16:49
mordredI think we also need to ensure devstack-utils is installed in a pre-run playbook ...16:50
clarkband the merge step is called somewhere16:50
jeblairclarkb: what does "[[local|localrc]]" mean?16:50
clarkbjeblair: that is the local.conf python ini config section16:51
clarkbjeblair: basically its the localrc portion of the ini local.conf file16:51
jeblairthe section is literally called "loca|localrc" ?16:51
clarkbya16:51
clarkblet me find an example file16:51
SpamapSI thought that meant it can be either one.16:51
mordredand I think we should make a module that exposes dsconf in ansible so that people can use that in their jobs if they need to conditionally set or not set config values ...16:51
clarkbhttp://logs.openstack.org/73/493673/2/check/gate-tempest-dsvm-neutron-full-ubuntu-xenial/91e7093/logs/local.conf.txt.gz16:51
mordredsuch as: https://git.openstack.org/cgit/openstack-infra/project-config/tree/jenkins/jobs/shade.yaml#n4616:52
pabelangerya, I like the example jeblair is mocking up now for localrc vars16:52
pabelangerwe do the same with environment variables in tox jobs16:52
pabelangerseems to work well16:52
clarkband then we can define the base localrc in the base job and we'll merge this on top? that should work well16:53
clarkbin that case we may not need devstack-utils since its job is to merge those items but if zuul/ansible already merge it all for us that dep goes away maybe16:54
jeblairclarkb: right... is there some example for that? i can put it in the etherpad16:54
pabelangerya16:54
clarkbjeblair: https://git.openstack.org/cgit/openstack-infra/devstack-gate/tree/devstack-vm-gate.sh#n58916:55
clarkbjeblair: basically its a command that you run that merges two ini files together16:55
jeblairmordred: it looks like that shade conditional is conditional on what specific job the template is being used for; but if you think of the job as parent and child, then you may not need conditionals like that16:55
mordredyes - absolutely!16:56
clarkbI think I would do vars:\n  devstack_local.conf:\n    'local|localrc':\n      Foo: Bar16:57
mordredjeblair: mostly just wanted to point out that since there is a python util called "dsconf" that's used by devstack and others to manipulate files later and that we need installed for d-g anyway- we might as well expose it in a module in case there are times when it actually is needed16:57
mordredit can go in the post-ptg stack though16:57
jeblairmordred: *nod* i think clarkb is thinking that its behavior is close enough to zuul's internal variable merge that it may not be necessary?16:57
clarkbthen you can have arbitrary ini headers. Then somewheredown the line have something that can write that out in the ini format the devstack wants.16:57
clarkbjeblair: ya16:57
mordredcool16:58
mordredemitting that should be fairly easy16:59
clarkbI put an example of what the behavior is today as I understand it17:00
clarkband mocked out what I'd expect zuul/ansible to do which i think is equivalent17:00
jeblairclarkb: that looks right, and ii updated my examples to your syntax17:00
jeblairso when the devstack-neutron-whatever job runs, it will will have all those variables, along with VIRT_DRIVER=fake which is set by the devstack job.17:01
clarkbthen the base job would have a base config in the same way devstack-gate has a base config. It sets error on clone, lists a safe IP addr range, sets password values etc17:01
clarkbjeblair: feel free to delete my examples if you think we are done with that17:02
jeblairand the "write localrc" pre-playbook role in the base devstack job will receive all of those variables, so it will write the correct thing17:02
clarkbyup17:02
mordredif we want to support setting abitrary filenames, I think we need a top-level container - but is doing that at the vars level actually valuable given local.conf itself has internal support for that?17:02
clarkbmordred: I don't think the local.conf is an arbitrary filename17:03
mordredright17:03
mordredso the 'devstack_local.conf' variable name isn't meant to imply there could be a different variable name that does something similar yeah?17:04
clarkbcorrect, its mostly there to make it a unique top level key so that you could have another key that said use this ip range for network overlay17:04
clarkbor use this usename for execution or whatever17:04
mordred(the dot in the name makes it seem like it's going to do something magic with varname -> filename)17:04
jeblairmaybe we should call it 'dsconf' or something?17:05
mordredgotcha. I'd suggest devstack_local_conf then just for my eyeballs - I think the dot will get confusing17:05
clarkbwfm17:05
jeblairmordred: that's a good compromise17:05
mordredwoot. I think this is gonna be nice17:05
jeblairit still clearly maps to the filename so people can make that connection, but doesn't look as magic17:05
clarkbnow one potential gotcha here is that order matters iirc17:06
clarkbdoes zuul/ansible preserve dict key ordering? I think pyyaml might actually17:06
jeblairclarkb: order in an ini file matters?17:06
clarkbjeblair: ya because its actually reading that section in as if it were bash :/17:07
jeblairclarkb: by default, pyyaml does not, but we can make it do so.17:07
clarkbwe can have dtroyer or sdague confirm that behavior too before we attempt to accomdate it17:07
mordredyah- the code is even already in the zuul repo iirc17:07
mordredI believe later values override earlier values ...17:07
clarkbmordred: ya the overriding of keys doesn't bother me17:08
mordredbut maybe that behavior is less important if we have key merging?17:08
clarkbbut in our example we use $HOST_IP so that has to be set before hand in the ini file17:08
mordredno- I mean, I think order matters because they have a latest-overrides-earlier behavior in ini reading17:08
mordredwhich is useful if you just want to append things, yeah?17:08
mordredahhhhhhh17:08
mordredgotcha17:08
clarkbmordred: yup I'm saying that portion of it is fine as is17:08
*** jkilpatr has quit IRC17:08
clarkbbut we need to handle the set HOST_IP first then use $HOST_IP later17:08
mordredso if these vars can refer to other previous vars, then yeah, we'll need to do the ordereddict trick17:09
jeblairokay.  that's not ideal (it adds a behavior that is not guaranteed by yaml), but i think we can make that happen.17:10
clarkbit should be backward compatible for anyone that doesn't care about ordering17:10
clarkbbut yes does add a behavior change17:10
jeblairwell, i'm less worried about backwards compat, and more worried about (and give me a little rope here) language purity17:12
jeblairi think we can make this work in zuul, i just worry that it might impact our ability to do something else later, and maybe makes the problem domain for tools that work with the config more fragile...17:12
jeblairoh i have an idea17:12
clarkban alternative is to pass literal block strings around as in jjb and let devstack utils or ds tools whatever it is called do the work17:12
* mordred waits for jeblair's idea17:13
jeblairwe have an ansible role that actually writes this out.  it could actually resolve variable dependencies and write them out in the right order, even with unordered input17:13
jeblair(yes, that means "parsing" bash, but a very limited subset of bash)17:13
mordredjeblair: how would the ansible role get the depends? wouldn't the zuul var merging/override get there first?17:14
jeblairmordred: it would see that "CLIENT_ADDRESS=$HOST_IP" uses $HOST_IP so it makes sure to write out HOST_IP first17:14
mordredjeblair: OH17:14
mordredjeblair: I understand what you are saying now17:15
mordredjeblair: yah - I dont' think that's too difficult17:15
clarkbI think that works in the simple case but you'll need to be careful if any of fancy bash string manipulation features are used17:15
clarkb(and maybe just say no you don't get those)17:15
jeblairclarkb: yeah17:15
mordredlet's start with jeblairs idea (it also means no changes to the zuul config loading and can just be done in the local.conf emitter)17:16
clarkbwould be good to run that by sdague but I think he is on vacation for some large chunk of time17:16
mordredwe can always revisit if there's fancy bash that's essential and have ordereddict in our back pocket if we get in a hole17:16
jeblairya, if we have to throw in ordereddict in a pinch, we can do that.  but this feels a little more conservative so it'd be nice to start there.17:17
mordred++17:17
mordredalso - I think it's TOTALLY doable to auto-translate local_conf jjb macro invocations to a devstack_local_conf variable setting17:18
jeblairmordred: woot17:18
mordredso that even one-for-one jobs can get the local_conf stuff nicely17:18
jeblairi think all the stuff in https://git.openstack.org/cgit/openstack-infra/devstack-gate/tree/devstack-vm-gate.sh#n258 is going to be complicated17:20
jeblaira lot of that can go into the devstack base job as simple variables17:20
jeblairbut some of it is more conditional17:20
clarkbthe python3 thing for example would be the python3 d-g job inheriting form base then overriding the python version var17:20
clarkbbut yes there is a lot of logic in there that will have to be untablged to end up with ^17:20
jeblairso do we start making a job hierarchy (like devstack-ironic which is the base job and virt-driver=ironic and all the related values already set)17:21
jeblairclarkb: hey i think we just said similar things :)17:21
clarkbwhere it will get really tricky is where existing jobs have many of those vars overlapping17:21
jeblairthat might be the way to start.  but again, we do have a 'devstack_localrc' role.  so if we need to keep some of that conditional logic, we can still do it there.17:21
clarkbneutron + dvr + python 3 + multinode (I don't know that that job exists today but illustrates the trickyness)17:22
* SpamapS is kind of lost17:22
jeblairSpamapS: we're focusing on the part of the devstack-gate job which writes the devstack localrc17:23
jeblairSpamapS: see lines 52, 67, and >76 in the etherpad for examples of how we think we can implement that with job variables17:24
SpamapSbeen waiting for a chance to contribute but I really don't know if I can help17:24
jeblairSpamapS: stick around -- we may have some tractable tasks soon17:24
jeblairmordred, clarkb: is that really all we need with the roles?  is it true that with all the stuff that's gone into the base roles, all we have left are the additional ssh work, network overlay, setup swap, and devstack localrc?17:26
mordredSpamapS: :Q17:26
mordredgah17:26
jeblairno :Qing!17:27
clarkbjeblair: and log hanlding. I think that captures it just going through a mental play by play of what d-g does17:27
clarkbwe may need something to deal with d-g hooks17:27
mordredjeblair: devstack-gate-vm-wrap.sh itself - which I was just scanning through - and hooks17:27
mordredclarkb: jinx17:27
clarkboh and executing tempest/grenade17:27
jeblairlet's tackle logs for a sec17:27
mordreddoesn't devstack itself have a log collection thing now? like devstack tells us what logs should be collected - or puts them into logs/ itself?17:28
clarkbmordred: sort of, it dumps all openstack services into journald with a devstack@ prefix17:29
clarkbmordred: so we do a for service enabled journald dump devstack@$service17:29
clarkbhowever thats only on pike/master at this point17:29
mordredclarkb: right - so if we put that logic into a devstack script somewhere17:29
mordredclarkb: in devstack itself17:29
clarkbwe could execute that script yes17:30
mordredthen have a log collection role that runs it if it exists, and then grabs ~stack/logs ?17:30
clarkb(don't forget system services like mysql and libvirt and rabbit)17:30
clarkbya something like that should work. We'll probably want compression to happen too17:30
mordredI guess what I mean is that in general if we can make devstack the one responsible for putting whatever it wants collected into ~stack/logs17:30
clarkband maybe don't rely on underlying script to alawys be nice and compress (but noop if it has)17:30
mordredthen we can do a verison of our existing log collection roles that grabs from ~stack/logs intead of ~zuul/logs?17:31
mordredis that reasonable? or should we have that be in the devstack-gate-collect-logs role?17:32
jeblairmordred: i think we abandoned that approach to log collection, and now rely on the job doing appropriate log collection in its post playbook17:32
mordredok.17:32
jeblairmordred: so, eg, tox post playbook copies node:/.tox/whatever to executor:logs17:32
mordredright17:32
mordredsorry - I've been unclear - lemme try again17:32
jeblairso i guess the corresponding thing is our base devstack job should copy all:~stack/logs to executor:logs ?17:33
mordreddevstack runs- there are logs on the machine, but they are in various places depending on devstack config17:33
mordred$something runs to get those collected into all:~stack/logs17:33
mordreddevstack-gate post-playbook copys all:~stack/logs to executor:logs17:33
SpamapSare we staging them on the executor so we can have untrusted do the staging, and then trusted do the insertion into log storage?17:34
mordredquestion is- do we have the post playbook itself be the thing that has the logic for step 2? or do we make that a devstack responsibility?17:34
jeblairSpamapS: yes; the base job handles the last bit17:34
SpamapSJust making sure I understand the flow.17:35
jeblairmordred: thinking17:36
SpamapSFrom a devstack-agnostic point of view, what I'd like is for something to tell my job where to stage its logs to.. and then anything I stage there gets pushed up into logs.17:36
SpamapSso considering devstack, I want that logic in the d-g roles.17:37
jeblairmordred: blue sky -- i think it'd be nice to have the devstack post playbook copy things from wherever they are to the executor.  ie, skip ~stack/logs.17:37
jeblairmordred: and if child jobs want to copy additional things, have their own post playbooks17:37
mordredjeblair: wfm17:38
jeblairlet me revise/clarify that:17:38
jeblairi think it'd be nice to have the devstack post playbook copy the core things it knows about from wherever they are to the executor.  ie, skip ~stack/logs. and if child jobs want to copy additional things, have their own post playbooks.17:38
jeblair(see the 'core things it knows about' insertion)17:38
SpamapSYeah that's how I see it too. [pre: make a staging place]-path_to_staging_place->[job1][child-of-job1][child-of-job1]->[post: scoop them up and publish]17:38
mordredSpamapS: yah17:39
jeblairSpamapS: yeah, though the staging place i'm arguing for is the one that zuul provides on the executor, so we don't need to do anything in pre17:39
SpamapSOh I thought base did that. Kk.. even simpler. :)17:39
jeblairyeah, $jobroot/logs is part of the "api" because that's where the console log goes17:40
mordredjeblair: and I think we already have a "copy logs to executor" role that takes arguments? or if we don't we should :)17:40
jeblairmordred: unsure.  it'd be a one-liner either way :)17:40
jeblairso having said that -- here's something else to consider17:41
jeblairearlier we made it easy to change devstack's configuration without writing new playbooks -- would this plan for logs cause folks to have to write post-playbooks?  or is it the case that because we're proposing the log collection happen in devstack itself, anything we can configure devstack to do with just localrc variables will automatically have its logs collected?17:42
clarkbI think the vast majority of stuff will be caught in the journald devstack@ dumping17:43
clarkbbasically any service started by devstack's run_process function17:44
mordredjeblair: well, you sold me on not having devstack collect them since that would involve copying to ~stack/logs I think - maybe if we make a genearl "copy-logs-to-executor" role that takes an arg of what to copy, we could have the devstack-gate base job take a variable which is "Additional logs to copy"?17:44
*** jkilpatr has joined #zuul17:44
clarkbitems I expect may end up being additional post playbooks would be for things like docker/k8s in kolla land, zookeeper in nodepool jobs17:44
clarkbshould be one or two per jobs and not in every job17:45
mordredyah- where there's legit additional things that need to happen for reasons that arent' just log collection17:45
jeblairmordred: yeah, i think that's workable -- but is it necessary?  it looks to me like anything that would need additional logs collected beyond what devstack does would already have local playbooks for the job itself, in which case, a post-playbook for log doesn't seem like a huge cost17:45
mordredyah17:46
jeblairso maybe we don't add that right now, but it's something we can throw in easily if needed17:47
mordred++17:47
jeblairokay, next topic: devstack-gate-vm-wrap.sh itself - and hooks17:47
clarkboh also older devstack will have the screen-* files in the logs dir so we check that too17:47
jeblairclarkb: ++17:47
jeblairactually, let's stay on logs a bit more17:48
jeblairwhat do we need to do to get from where we are today to what we're talking about17:49
clarkba role that knows to look for old logs dir location or generates logs using journalctl otherwise. Also knows to grab mysql, libvirt, etc logs17:50
jeblairokay, i'll try to pit this around line 31+ in etherpad17:51
mordredthe cleanup_host function17:51
mordredin functions.sh17:51
mordredis the thing that has the logic today17:52
jeblairokay that makes sense17:52
jeblairline 31 look right?17:53
clarkbjeblair: yes17:54
jeblairokay, devstack-gate-vm-wrap and hooks17:54
jeblairit seems that hooks generally should just be replaced by playbooks17:54
clarkb++17:54
mordredyup - ALTHOUGH - there's a catch17:55
jeblairso the devstack job should have a playbook which runs devstack.  and if you override the job, you can replace that.17:55
jeblair(and if you need to add pre/post, of course you can do that)17:55
mordredwhich is that currently the hook scripts are run in a  context with a bunch of d-g env vars set17:55
clarkbmordred: ya and many of them go on to run our default hook at the end of their execution17:55
mordredthe 'easy' path for folks would be a post-playbook that just does shell: existing/hook/script.sh17:55
mordredbut that would be missing the d-g vars17:56
mordredso ... what if we did the following:17:56
clarkb(so we won't be able to delete devstack-vm-gate.sh right away)17:56
jeblairmordred: post playbook?  they want to run stuff after devstack and tempest runs?17:56
* jeblair waits for mordred17:57
mordred- split devstack-vm-gate-wrap into two bits - the first part that does all the env var stuff it does today, then outputs all of those vars into a sourceable file - run that as a d-g pre playbook17:58
mordredhave a d-g pre and d-g post playbook that take a path to a hook script, and if it gets one, runs that with the d-g vars sourced17:59
mordredturn the second half of devstack-vm-gate-wrap into pre run and post playbooks (instead of command-line ansible)17:59
jeblairmordred: i like the general direction, but i'd like to make sure we're able to deprecate all the hook stuff eventually.  so maybe we should avoid doing any of that in the base jobs, but have the conversion script do that expilicitly for jobs with hooks.18:03
jeblairso, if you have some jjb that defines a pre_hook, you get an auto-converted job with a 'legacy-devstack-gate-pre-hook' pre playbook?18:04
mordredjeblair: yah - that works- mostly don't want to make people rewrite their existing shell scripts in order to adopt the new base jobs18:04
jeblaircool18:04
mordredjeblair: yah18:04
jeblairi just rejiggered the jobs at the bottom of the etherpad18:05
clarkbI've got to pop out now to prep for meeting18:05
jeblairclarkb: thanks!18:06
*** electrofelix has quit IRC18:06
jeblairi added 'devstack' as a pre-run item on the devstack job, thinking that lets anyone make a job that inherits from devstack so they have devstack all set up18:06
jeblairlike the tempest job below it (which runs tempest in the main playbook)18:06
jeblairbut i wonder if that's incompatible with devstack-gate pre hooks18:06
jeblairwhere to the pre-test hooks run18:07
mordredwell- based on what you said earlier- let's think of it as two stacks - a legacy-d-g stack and a new-d-g stack18:07
mordredso the legacy one does the hooks thing - but the non-legacy one does not and just uses pre/post as v3 normally does18:08
jeblairit's pre_test_hook (normally empty); gate_hook (normally devstack and tempest, though tempest running is controlled by variable); then post_test_hook(normally empty)18:08
jeblairmordred: okay, so we may need a legacy base devstack job to satisfy the conversion script and usage of hooks18:09
mordredwell- we can have a run-devstack role and a run-tempest role, and the run playbook for the devstack job only run the devstack role but the run playbook of the tempest job run both18:09
mordredjeblair: yah18:09
jeblairoh that's a good idea too18:10
jeblairi guess the devstack-in-pre job idea is mostly useful for openstack consumer jobs, like nodepool.  not so much openstack service jobs.18:10
jeblairmaybe we should do both things.18:11
mordredyah - and having it as a separate role lets us totally do that18:11
mordredlike that maybe18:12
jeblairmordred: and devstack-consumer is what a nodepool-like job would inherit from?18:12
mordredyah18:12
jeblaircool, that makes sense18:12
mordredjeblair: we said earlier we can do the roles in openstack-zuul-jobs/zuul-jobs, but I think some of the above playbook composition does want to happen in the d-g repo - and should be fairly easy (easier than role decomp) to do in place18:15
mordredespecially since a bunch of it is running ansible already anyway18:15
jeblairmordred: agreed18:15
jeblairmordred: i've moved our role list down to below line 3718:16
jeblairi'm going to annotate it with repos18:16
pabelangeryes, that is helpful18:16
mordredjeblair: should the devstack and tempest roles eventually live in devstack and tempest rather than d-g?18:18
jeblairmordred: i would like that18:18
jeblairmordred: maybe that's a chat to have at the ptg?18:18
mordred++18:18
mordredfor now, let's name them something with d-g inthe title so that if/when we move them to devstack and tempest we can do that without d-g inthe title and migrate with less rename steps18:19
jeblairokay, i think that captures the roles and jobs we need to write18:19
jeblairwhy the -gate suffix?18:19
jeblairoh i missed that line ^18:19
mordred(from the above statement- future-proof for intent to move thenm)18:19
mordredwe can also skip it though18:20
mordredot18:20
jeblairwe can try it that way18:21
jeblairdo we want to stop now, or do folks want to start claiming todo items?18:23
pabelangerthe first 2 steps in TODO, we can start now. The next also require adding d-g to zuulv3.o.o, is that something we want to do sooner then later?18:23
jeblairpabelanger: we can go ahead and add it i think18:24
mordredoh - I wrote that change last night actually...18:24
mordredhttps://review.openstack.org/49397418:25
mordredoh 0 wait - didn't we say we wanted to make "install ssh keys on all hosts" its own role?18:26
jeblairhow about this -- we all have other stuff on our plate, so rather than dividing all of that up right now, we leave the devstack-gate etherpad first-come fist-served.  as you find time to work on the devstack-gate stuff, go to the etherpad and claim a thing.18:26
mordredjeblair: ++18:26
jeblairmordred: see lines 42 and 4518:26
jeblairmordred: i was thinking we add the private key to the existing role, but make root its own new role18:27
mordredjeblair: I'm going to add the above text about splitting devstack-vm-gate-wrap into some pieces18:27
mordredjeblair: ahhhh. I can't read18:27
pabelangerYa, I want to get some eyes on 492671 first, that is are test secret for zuulv3-dev18:27
jeblairor i can't type :)18:27
jeblairmordred: fyi, i have 2 things that have pushed onto the top of my stack: 1) find out why zuulv3 gate pipeline doesn't work.  2) add unit tests for leaking secrets.18:28
jeblairi'm going to run out and grab some lunch before the next irc meeting. :)18:29
mordredjeblair: yes. my stack is to finish the docs/publish tasks that are on my plate and work on migration script18:30
*** jkilpatr has quit IRC19:03
*** dkranz has quit IRC19:03
*** leifmadsen has quit IRC19:03
*** jkilpatr has joined #zuul19:03
*** dkranz has joined #zuul19:03
*** leifmadsen has joined #zuul19:04
fungii guess https://etherpad.openstack.org/p/AIFz4wRKQm is the thing i said i'd read through when i got home, judging from scrollback20:30
fungioof, that's some content! looking forward to this20:31
*** dkranz has quit IRC20:48
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Test that secrets don't leak into logs  https://review.openstack.org/49401520:54
jeblairpabelanger, mordred, clarkb, fungi: is that the sort of thing we're looking for?20:54
pabelangerjeblair: Wow, ya. I think that is what we want to do. Walk logs directory20:59
clarkbjeblair: based on the commit message yes20:59
mordredjeblair: that looks good - one quick suggestion - add a positive test to the same setup that is a playbook that writes the secret content to a flag file- so you can verify that 'test-password' is actually the content of the secret (and it's not just passing the test because of a name mismatch)21:08
mordredjeblair: I'm pretty sure that's not the case right now- but in case someone makes a change in the future21:08
mordredoh. wait21:08
mordrednevermind21:08
mordredI just read the place where you do that already21:09
* mordred goes back into his hole21:09
mordredalso, your implementation of that idea is better than mine21:09
jeblairmordred: oh you had an implementation of that?21:10
mordredjeblair: no - my suggestion aboveof what to do - your test is better than my words21:10
jeblairoh ok cool21:10
jeblairand yeah, i think the test covers your suggestion (which is good)21:11
mordredjeblair: we still have to restart the scheduler on updates to main.yaml yeah?21:12
jeblairbasically, the test verifies that 'test-password' shows up in exactly two files: the file the job is writing it out to, and the file that holds the decrypted variable for ansible21:12
jeblairmordred: yes, or issue a sighup to reconfigure21:12
mordredjeblair: I am saying things to you privately and I do not thik you are receiving them21:14
jeblairmordred: that is fascinating! i am indeed receiving nothing21:14
mordredjeblair: I continue to be able to see what you are typing21:16
*** mordred has quit IRC21:27
*** mordred has joined #zuul21:27
fungijeblair: 492287 is great--thanks for putting that together?21:27
fungialso, i'm not caught up on scrollback in here... are the excess of RETRY_LIMIT events a known issue (hopefully)?21:27
fungier, thanks for putting that together! (proper use of punctuation eludes me sometimes)21:27
fungi489691 got me thinking... what is the current behavior if someone does attempt to (either accidentally or intentionally) define a job under a name which is already in use by another repo? does zuul refuse to test that change? fail? undefined behavior still?22:21
fungiokay, this is not so good... 494015 seems to have fallen into a check loop22:23
fungizuul keeps leaving a +1 on it (instead of +2) and reenqueuing into the gate over and over22:24
fungiso not check loop i guess, but gate loop22:24
fungii wonder if we just merged something which broke the gate pipeline config?22:25
fungi494006 maybe?22:26
fungilast reconfig event for the scheduler on zuulv3.o.o was at 20:42:01 utc according to the debug log22:28
fungi2017-08-15 20:42:01,696 INFO zuul.DependentPipelineManager:   On success: [<zuul.driver.sql.sqlreporter.SQLReporter object at 0x7f68f98d6e10>, <zuul.driver.gerrit.gerritreporter.GerritReporter object at 0x7f68f98d6be0>]22:34
fungi2017-08-15 22:21:04,937 DEBUG zuul.GerritReporter: Report change <Change 0x7f68f98f6908 494015,1>, params {'Verified': 2, 'submit': True}, message: Build succeeded (gate pipeline).22:34
fungiso why is gerrit recording it as a verified +1 and no submit?22:34
* fungi checks zuul account perms22:35
fungiit looks like the zuul account in gerrit is in the "continuous integration tools development" group which the all-projects acl only grants verify -1..+122:44
fungiand not in the "continuous integration tools" group which is granted -2..+2 (that currently contains only the jenkins account)22:44
pabelangerYa, I don't think we ever changed that22:44
fungii'll un-approve 494015 for now so that it hopefully ceases looping22:44
pabelangerIIRC, we did that first to avoid zuul +2 things behind the back of jenkins22:44
fungimakes sense. is there an acl change proposed for the repos we want zuul able to do this for?22:44
pabelangerI have not, but sounds like a great idea to dp22:44
pabelangerdo*22:44
fungiwe can always allow it on a per-repo basis for the moment (grant Verify -2..+2 and Submit to the Continuous Integration Tools Development group on the refs/heads/* ref block)22:44
clarkbdoes it make sense to just update the users global group membership at this point?22:44
fungithat's more or less what i'm asking22:44
fungisimple change is to add zuul to the Continuous Integration Tools group in gerrit (and optionally remove it from Continuous Integration Tools Development)22:44
clarkbI think if we are happy to have it gating and +2'ing and submitting some projects than we should be fine with it for any project22:44
fungii'm cool with that, just looking to others for consensus22:44
fungiand also glad that what i found was not actually a bug in zuulv3, and also that there was sufficient detail in the logs for me to piece together the actual issue22:44
mordredfungi, clarkb: yay you found the gate issue!22:44
fungiheh22:44
mordredand yes, adding zuul to the group is the right choice22:44
mordredfungi: I'm thrilled you were able to diagnose that from logs!22:44
fungii would have gotten there sooner, but have been so disconnected i didn't realize zuulv3.o.o hadn't _actually_ +2'd and submitted a change yet22:45
fungifor some reason i thought that was already happening as of late last week22:46
fungiso most of the confusion is me being late to the party (as usual)22:46
clarkbwell I think its setup to work so unexpected that it didn't/doesnt22:48
fungiright, more that i assumed someone had approved something to those repos already since the switch ;)22:49
mordredclarkb, fungi: y'all ok with me going ahead and moving zuul into the CI TOols group?23:10
clarkbwfm23:10
mordreddone23:10
mordredI have re-approved that change23:10
mordredand it is in gate ...23:11
jeblairbegin 8 minute drumroll23:12
SpamapShttps://www.youtube.com/watch?v=ian6NyXpszw23:19
SpamapS"drumroll please..."23:19
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Test that secrets don't leak into logs  https://review.openstack.org/49401523:20
jeblair\o/23:20
mordred"Change has been successfully merged into the git repository by Zuul" \o/23:21
pabelangerYay23:43
« Monday, 2017-08-14 Index Wednesday, 2017-08-16 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!