Monday, 2018-03-05

« Sunday, 2018-03-04 Index Tuesday, 2018-03-06 »
*** rcarrillocruz has quit IRC00:23
*** rcarrillocruz has joined #zuul00:38
*** xinliang has quit IRC00:43
*** xinliang has joined #zuul00:58
*** threestrands_ has joined #zuul03:12
*** threestrands_ has quit IRC03:12
*** threestrands_ has joined #zuul03:12
*** threestrands has quit IRC03:16
*** dkranz has quit IRC03:23
tobiashpabelanger: do you mean trusted or untrusted? In trusted playbooks local shell scripts aren't constrained,04:23
tobiashAnd running git in an untrusted shell has probably a big attack vector04:25
*** bhavik has joined #zuul04:30
*** bhavik has quit IRC04:37
*** sshnaidm|ptg has joined #zuul06:27
*** sshnaidm|ptg has quit IRC06:31
*** jaianshu has joined #zuul06:36
*** threestrands_ has quit IRC06:57
openstackgerritTobias Henkel proposed openstack-infra/zuul master: Normalize hostname for statsd  https://review.openstack.org/54730907:39
tobiashjhesketh: ^07:40
openstackgerritTobias Henkel proposed openstack-infra/zuul master: Normalize hostname for statsd  https://review.openstack.org/54730907:52
*** snapiri has quit IRC08:17
*** snapiri has joined #zuul08:22
*** jaianshu has left #zuul08:45
*** chrnils has joined #zuul08:46
openstackgerritMerged openstack-infra/zuul-jobs master: Set wheels-mirror for openSUSE Tumbleweed  https://review.openstack.org/54918109:18
*** zigo has quit IRC09:18
*** jhesketh has quit IRC09:20
*** hashar has joined #zuul09:21
*** jhesketh has joined #zuul09:22
*** zigo has joined #zuul09:23
*** hashar has quit IRC09:32
*** electrofelix has joined #zuul09:34
*** hashar has joined #zuul09:41
openstackgerritTobias Henkel proposed openstack-infra/zuul master: Normalize hostname for statsd  https://review.openstack.org/54730909:42
electrofelixI recall there was a dedicated site setup for zuul recently, but can't seem find it? Is there also a separate mailing list?10:00
AJaegerelectrofelix: zuul-ci.org10:04
openstackgerritAntoine Musso proposed openstack-infra/zuul master: Ensure that Change number and patchets are string  https://review.openstack.org/54576810:12
electrofelixAJaeger: thanks10:16
electrofelixMaybe the topic could be updated to include it?10:18
*** yolanda has joined #zuul10:19
openstackgerritAntoine Musso proposed openstack-infra/zuul master: Import Zuul modules at top of files  https://review.openstack.org/54973010:28
kklimondais there an official way of passing variables between pre/run/post playbooks?12:04
kklimondafor some reason I recall zuul_return not exposing variables to other playbooks, but I could be wrong?12:06
openstackgerritTristan Cacqueray proposed openstack-infra/zuul master: configloader: add variant-description  https://review.openstack.org/54974812:22
pabelangertobiash: yah, untrusted. Doesn't need to be shell, could be command (is the same I think). But untrusted git commands on executor fail obviously today12:25
tobiashpabelanger: so do you need untrusted git commands on the executor?12:26
pabelangertobiash: right now yes, only because I am working around issues with base jobs in project-config. eg: http://git.openstack.org/cgit/openstack/windmill/tree/tests/base-minimal.yaml12:27
pabelangertobiash: as you see, all the roles only run on a single node (bastion) however, my nodeset is multiple nodes.  Today, we cannot do that with our base jobs, I have ideas how to fix them, but need to discuss: http://git.openstack.org/cgit/openstack/windmill/tree/tests/base-minimal.yaml12:28
pabelangererr12:28
pabelangerhttps://review.openstack.org/546474/12:28
tobiashif the issue is a missing origin, https://review.openstack.org/#/c/544964/ adds one (with the state of the speculative parent)12:30
tobiashI fear allowing git operations for the command module will open an attack vector we cannot really estimate due to the huge featureset of git12:31
pabelangertobiash: no, it is about only git cloning repos from executor to a specific host, not all hosts12:31
pabelangertobiash: but origin is also a bug, I think in ansible git module12:32
tobiashah, so you just want to filter the hosts where you want to push the repos to12:32
pabelangertobiash: yes, this is because how my nodeset is setup: http://git.openstack.org/cgit/openstack/windmill/tree/.zuul.d/jobs.yaml#n50 I'm using ansible host aliases. Basically 1 node from nodepool, but ansible sees 712:33
tobiashpabelanger: is the git push playbook just doing the git stuff?12:34
tobiashif yes, it could run against {{ filtered_hosts | default('all') }}12:35
tobiashand if a job defines the filtered_hosts variable it might be possible to limit pushing to a specific host12:35
pabelangertobiash: yes, that is right. But filtered_hosts needs to be an extra-vars, not host or group12:36
pabelangertobiash: which we don't have a way to setup in zuul.yaml today12:36
tobiashok, and the only extra vars we currently have are sitevars12:36
pabelangertobiash: we could use a secret, but then it gets more complicated as they are dicts12:36
tobiashmaybe also secrets...12:37
pabelangeryah, but we'd need a more complicated playbooks for secrets, as secret.filtered_hosts | default('all') doesn't work out of box.  We'd need to include more if logic into the jinja2 template12:38
pabelangerdoable, just more tricky12:38
tobiashpabelanger: can we already define host or group vars in the nodeset?12:40
pabelangertobiash: yah, I think that landed 2 weeks ago?12:40
tobiashmaybe the git push should skip per host if required12:40
tobiashso make it push with when: no_source is not defined12:41
tobiashthen you could mark some hosts in the nodeset to not receive git repos if desired12:42
pabelangertobiash: yah, we could do that too. But opted not to do so, because it isn't just the git push. It really is above running the roles as they are today, only on 1 or specific filtered hosts12:42
tobiashpabelanger: well you should not be able to opt out of the ssh key stuff12:43
tobiashso that leaves the streaming daemon, git push12:43
tobiasham I missing further stuff?12:44
pabelangertobiash: remember, I just have a single ansible_host (shared IP) between all the ansible hosts. So, even if I say 1 nodes in inventory, all that are using the shared_ip, get the tasks run12:44
pabelangerso, not opting out, just not running the same tasks multiple times on the same host12:45
pabelangerSSH keys, zuul_stream do work today12:45
tobiashso you're trying to solve races with serial12:45
tobiashI see12:45
pabelangeryah, serial would also work, but again, need extra-vars support12:46
pabelangerbecause, cannot be setup via host / group vars12:46
pabelangerIdempotence is really the issue12:47
pabelangersome of our tasks are, others are not12:47
pabelangerand racy12:47
tobiashyah, the extra-vars will be useful12:48
tobiashalso for doing CD with deployment scripts which use extra-vars12:48
openstackgerritAndrea Frittoli proposed openstack-infra/zuul-jobs master: Add known hosts for all users  https://review.openstack.org/54864212:58
*** dkranz has joined #zuul13:10
andreaftobiash pabelanger is there a tool in zuul that give a job name will build a list of plays that will be invoked for that job?13:20
tobiashandreaf: no13:21
andreaftobiash pabelanger what I'm trying to do is to run a job locally and for the test to be meaningful I need to run all the pre plays of all parent jobs first13:21
andreaftobiash ok too bad13:22
tobiashandreaf: such a tool is kind of on the future roadmap in the future13:22
pabelangeryah, for now, you'd have to parse debug logs and see what ansible-playbook commands are run. Which is a lot harder, if you are not a zuul admin13:22
*** rlandy has joined #zuul13:23
tobiashandreaf: no one has taken this task yet so if you want to work on that tool nobody will complain ;)13:24
andreaftobiash heh not likely to happen but I will consider it13:26
*** myoung|ruck|off is now known as myoung|ruck13:27
*** rlandy_ has joined #zuul15:00
*** rlandy has quit IRC15:01
*** rlandy__ has joined #zuul15:02
*** rlandy_ has quit IRC15:05
*** rlandy__ is now known as rlandy15:23
kklimondaIs there an example of passing some variables between playbooks? Is it even possible with current implementation? If not, I'd like to extend behavior of `zuul_return` so that variables returned are then made available to other playbooks15:32
clarkbeaxh playbook is its own ansible-playbook process15:32
clarkbso I dont think that is currently possible15:32
kklimondamhm, and I probably can't easily load variables from executor in an untrusted playbook?15:33
kklimondahmm, unless include_vars accept any paths, and doesn't have to be relative to the role15:34
*** openstackgerrit has quit IRC15:34
kklimondaif so, I could probably write yaml file with variables as part of a trusted playbook, and load it back from untrusted15:34
tobiashkklimonda: I think this is not implemented yet but such a use case has been discussed in the past15:56
tobiashso feel free to propose an implementation15:56
tobiashduring implementation keep in mind that you have to make sure that this doesn't overwrite secrets or sitevars15:57
*** openstackgerrit has joined #zuul16:02
openstackgerritMerged openstack-infra/zuul-jobs master: Allow updates from untrusted mirrors  https://review.openstack.org/54916216:02
openstackgerritMerged openstack-infra/zuul-jobs master: bindep: use shell instead of command with executable  https://review.openstack.org/54686916:02
openstackgerritMerged openstack-infra/zuul-jobs master: ara: check for return code instead of succeed  https://review.openstack.org/54689216:02
kklimondatobiash: the idea I had was to reuse zuul_return for that, making returned variables available for other playbooks - assuming that ansible is smart about that, as long as I include variables from results.json (or really results.yaml) before secrets and sitevars, it should work. I think that's how site-variables are implemented now, having precedence over any other source.16:02
tobiashkklimonda: I'm not sure if we maybe want to put these vars under a root var16:03
tobiashBut that probably doesn't change the approach16:03
pabelangeryah, we've discussed zuul_return for that before16:04
pabelangernot sure where that ended up on the discussion list at PTG16:04
tobiashUnfortunately not16:04
tobiashBut zuul_return is the right thing for that16:05
kklimondatobiash: is there any particular reason to "namespace" those variables, or are you just playing it safe?16:06
tobiashThis idea is just for discussion16:06
tobiashIn that regard i'd like to hear corvus thought but he is afk this week16:07
tobiashThe idea is just to be safe16:08
tobiashBut anyway, namespacing doesn't really change the overall approach16:09
*** electrofelix has quit IRC16:10
openstackgerritKrzysztof Klimonda proposed openstack-infra/zuul master: [WIP] Pass variables returned by zuul_return to other playbooks  https://review.openstack.org/54980716:21
SpamapStobiash: do you use the review API from github to send things into your gate pipelines?16:30
SpamapStobiash: I'm having trouble with it.. the permissions don't seem to be right, so I can't actually get it to send things in because reviews don't come back with the 'write' permission, even though people do in fact have write permissions on the repo.16:30
SpamapSkklimonda: as a workaround, you can always use `slurp` and `from_json` to grab the bits that zuul_return leaves behind in the work directory.16:32
kklimondacan I slurp on executor?16:33
kklimonda(from an untrusted code)16:34
pabelangerkklimonda: I'm not sure. I'd guess not, but lets us know :)16:34
tobiashSpamapS: you mean to triggee the gate?16:34
tobiashThe review analysis is still buggy (e.g. when formatting the change message)16:36
SpamapSkklimonda: you should be able to slurp from the work dir, which is where zuul_return drops its json.16:37
SpamapSOr did we get slick and make zuul_return special enough to write outside work dir?16:37
pabelangercan you slurp on localhost? I've never tired myself16:38
SpamapSyep16:38
pabelangercool16:38
SpamapSThough I'd guess include_vars is the better choice there *if* it works.16:38
tobiashSpamapS: that is a possibility to share data between playbooks in the same job16:39
tobiashFor data sharing between dependent jobs the zuul_return method would be needed16:39
SpamapSYeah I thought kklimonda was talking about playbooks in the same job.16:40
SpamapSzuul_return already works fine for passing variables to child jobs.16:40
tobiashThat got already implemented?16:40
tobiashCool, didn't notice that16:41
kklimondayes, passing variables to child jobs work fine with zuul_return16:41
tobiashkklimonda: then forget all I said and trust SpamapS ;)16:41
SpamapStobiash: regarding reviews and pipelines, what I mean is, I have this pipeline and it doesn't ever trigger:16:42
tobiashYeah, I ty16:42
kklimondaSpamapS: I indeed want to pass variables between playbooks in the same job - `include_var` sounds like a nice workaround until that can be done by zuul16:42
kklimondaI'll see if it actually works in a minute ;)16:42
SpamapShttp://paste.openstack.org/show/691974/16:42
tobiashYeah, that could be broken16:42
tobiashWe trigger only on merge label due to this16:43
SpamapSand the reason is the require section16:43
kklimonda(I wouldn't be surprised if both slurp and include_vars refuse to run in untrusted "context")16:43
SpamapSnobody seems to have the 'write' permission.16:43
SpamapSkklimonda: they should just be scoped down to safe paths16:43
tobiashSpamapS: what does the api say?16:44
SpamapStobiash: Oh I keep forgetting you wrote us a nice tool for this.16:44
* SpamapS fires it up16:45
tobiashSpamapS: remove the write from the pipeline16:45
tobiashAfaik zuul only checks reviews from people with write acced16:46
tobiashBut have to double check that16:46
tobiashSpamapS: like https://docs.openstack.org/infra/zuul/admin/drivers/github.html#requirements-configuration16:47
tobiashZuul should only take reviews from write access people into account16:48
tobiashSpamapS: yea, used that tool too16:50
tobiashGithub was a minute behind which broke zuul auth...16:51
tobiashSpamapS: so if you use app auth you should definitely make sure that both zuul and github have ntp configured...16:52
SpamapSNo I am still on webhooks16:54
SpamapShaven't had time to migrate to apps16:54
SpamapSpipeline.require.<github source>.review.permission16:55
SpamapS    If present, the author of the code review must have this permission (or permissions). The available values are read, write, and admin.16:55
SpamapStobiash: ?16:55
SpamapSthat looks like what I'm aiming for.16:55
tobiashHrm, then that may not work quite yet16:56
tobiashDoes it trigger on any approval if you remone the write?16:57
tobiashremove16:57
tobiashGah, my mobile keyboard is too small16:58
kklimondaSpamapS: thanks, looks like include_vars will work as a workaround - slurp however has no zuul-specific implementation and so won't work17:06
SpamapStobiash: I haven't tried that yet.17:22
SpamapSkklimonda: indeed, was just poking at that.17:22
tobiashSpamapS: at lease what I read from the code requesting reviews with write permission won't match reviews with admin permission17:32
tobiashbut it looks like currently you cannot require with permission write OR admin17:33
tobiashSpamapS: I think it would also be better to implement review checks in canMerge in the github connection17:39
tobiashthat way you could trigger on any review, remove reviews from the required section and rely on the branch protection settings17:39
tobiashthis could be implemented on top of https://review.openstack.org/#/c/535680/17:40
tobiashwhich does that for build statuses (which I use in production for quite some time now)17:40
tobiashit's still wip due to lacking tests17:40
SpamapStobiash: I like that.17:40
*** rlandy is now known as rlandy|biab17:42
pabelangerfigure k8s people might be interested: http://logs.openstack.org/68/549768/11/check/kubespray-base/dc9118b/job-output.txt.gz17:49
pabelangerwhile not a native zuulv3 job, I did manage to install kubespray with it being in zuul tenant configuration17:50
pabelangerhttps://review.openstack.org/549768/ now to start cleaning it up17:50
AJaegergreat, pabelanger !17:51
pabelangeryah, the cool thing, is their playbooks / roles worked as expected17:52
Shrewsoh hey, where is the next PTG?17:55
Shrewsi assume that was announced last week17:55
pabelangerI didn't hear anything myself17:55
tobiashShrews: not yet17:55
pabelangerI also hear talks at board meeting to cancel PTG17:56
tobiashI just heard that it will probably be in north america17:56
tobiashpabelanger: ?17:56
pabelangeryah, wasn't there discussions on monday board meeting about if PTG is needed any more? That's atleast what I heard from people17:56
tobiashoh17:58
*** myoung|ruck is now known as myoung|ruck|food17:59
rcarrillocruzeugh18:05
rcarrillocruzwasn't aware of that18:05
*** hashar is now known as hasharAway18:10
pabelangerdon't quote me. But that is what I heard from some people18:11
*** myoung|ruck|food is now known as myoung|ruck18:26
*** rlandy|biab is now known as rlandy18:42
*** harlowja has joined #zuul18:49
SpamapStobiash: indeed, require write was the problem, using require admin is my current workaround, but I think I have a simple solution to try in code18:50
tobiashSpamapS: ok18:50
SpamapScancel PTG and just move it back to summit?18:50
openstackgerritClint 'SpamapS' Byrum proposed openstack-infra/zuul master: Match github model of granting admins write  https://review.openstack.org/54985319:24
SpamapStobiash: ^19:24
tobiashlgtm19:26
openstackgerritDavid Moreau Simard proposed openstack-infra/zuul-jobs master: Save the ARA sqlite database in a specific folder  https://review.openstack.org/51387419:32
*** chrnils has quit IRC19:47
*** hasharAway is now known as hashar19:57
openstackgerritDavid Moreau Simard proposed openstack-infra/zuul-jobs master: Save the ARA sqlite database in a specific folder  https://review.openstack.org/51387420:18
*** dkranz has quit IRC20:30
pabelangeris depends-on for github working today?20:33
pabelangerI haven't tried, but wasn't sure20:33
clarkbI think so iirc monty tested it with shade/ansible20:34
pabelangerk, that's what I figured20:35
*** dkranz has joined #zuul20:35
pabelangertrying it with kubernetes-incubator/kubespray now20:35
rbergeronspray alllllll the kubes20:35
pabelangeryah, it does work20:36
rbergeronwith that sweet zuul pixiedust20:36
pabelangerwhich is cool20:36
pabelangerand worked as expected, nice20:38
tobiashpabelanger: it works even cross source with gerrit :)20:47
*** kmalloc has joined #zuul20:49
openstackgerritPaul Belanger proposed openstack-infra/zuul-jobs master: DNM - test base-test  https://review.openstack.org/54986720:55
*** dkranz has quit IRC21:20
*** myoung|ruck is now known as myoung|ruck|bbl21:41
*** threestrands_ has joined #zuul21:45
*** threestrands_ has quit IRC21:45
*** threestrands_ has joined #zuul21:45
*** hashar has quit IRC22:03
openstackgerritAndrea Frittoli proposed openstack-infra/zuul-jobs master: Add known hosts for all users  https://review.openstack.org/54864222:08
openstackgerritAndrea Frittoli proposed openstack-infra/zuul-jobs master: Add known hosts for all users  https://review.openstack.org/54864222:30
openstackgerritAndrea Frittoli proposed openstack-infra/zuul-jobs master: Add known hosts for all users  https://review.openstack.org/54864223:00
*** jappleii__ has joined #zuul23:09
*** jappleii__ has quit IRC23:12
*** threestrands_ has quit IRC23:12
*** threestrands has joined #zuul23:12
*** threestrands has quit IRC23:12
*** threestrands has joined #zuul23:12
« Sunday, 2018-03-04 Index Tuesday, 2018-03-06 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!