Monday, 2018-03-12

« Sunday, 2018-03-11 Index Tuesday, 2018-03-13 »
*** JasonCL has joined #zuul00:05
*** JasonCL has quit IRC00:12
*** JasonCL has joined #zuul00:20
*** JasonCL has quit IRC00:36
*** JasonCL has joined #zuul00:37
*** JasonCL has quit IRC01:29
*** robled has quit IRC02:58
*** robled has joined #zuul02:59
*** robled has quit IRC02:59
*** robled has joined #zuul02:59
*** bhavik has joined #zuul06:02
*** threestrands_ has joined #zuul06:26
*** threestrands has quit IRC06:34
*** yolanda has quit IRC06:34
*** xinliang has quit IRC06:34
*** dmsimard has quit IRC06:34
*** xinliang has joined #zuul06:40
*** yolanda has joined #zuul06:41
*** dmsimard has joined #zuul06:42
*** bhavik has quit IRC06:49
*** sshnaidm has joined #zuul07:11
*** threestrands_ has quit IRC07:13
*** jpena|off is now known as jpena08:14
openstackgerritTobias Henkel proposed openstack-infra/zuul master: Add new tox-remote job  https://review.openstack.org/55130108:22
tobiashclarkb, corvus, mordred: that should be ready now ^08:23
*** electrofelix has joined #zuul08:36
*** JasonCL has joined #zuul09:32
*** JasonCL has quit IRC09:38
*** JasonCL has joined #zuul09:49
*** hashar has joined #zuul09:51
*** JasonCL has quit IRC09:58
*** JasonCL has joined #zuul10:22
*** JasonCL has quit IRC10:54
*** JasonCL has joined #zuul10:58
*** JasonCL has quit IRC11:02
tobiashoh, just had an idea to improve that a bit11:25
*** JasonCL has joined #zuul11:34
*** JasonCL has quit IRC11:41
hughsaunderselectrofelix: pong11:42
openstackgerritTobias Henkel proposed openstack-infra/zuul master: Add new tox-remote job  https://review.openstack.org/55130111:53
openstackgerritTobias Henkel proposed openstack-infra/zuul master: Add new tox-remote job  https://review.openstack.org/55130111:54
tobiashclarkb, corvus, mordred: that injects a fixture dir into the bwrap context which we can use for the forbidden source tests ^11:55
electrofelixhughsaunders: hiya, just wanted to sync a bit on the nodepool plugin11:59
hughsaunderselectrofelix: ok :)11:59
hughsaundersBeen making some progress... currently faffing with JDK installation.11:59
electrofelixturns out from my initial look at a zuul trigger plugin, that really need make the nodepool a dependency of it, as it becomes overly complex for no added gain trying to make zuul <--> jenkins work together without nodepool12:00
hughsaundersI'll push what I've got, its still super rough.12:01
electrofelixthat's ok, just looking to understand where I can help12:03
electrofelixtrying to build a plan for time to be dedicated here to work on the plugin to deliver nodepoolv3 <--> jenkins as a first step12:04
hughsaunderselectrofelix: https://github.com/rcbops/nodepool-plugin/pull/712:06
hughsaundersThats the current latest, have a poke at the head of the branch.12:07
hughsaundersI'd be happy to move it over into the openstack namespace, get more eyes and use gerrit etc.12:07
hughsaundersBut its not in a useable form yet12:07
electrofelixthanks, looking over it now12:12
*** myoung has joined #zuul12:17
hughsaunderselectrofelix: the docker-compose file in the docker dir is a good way to experiment, that combine with mvn hpi:run.12:18
*** myoung is now known as myoung|ruck12:18
hughsaundersbut see the readme in the docker/ dir12:18
*** dkranz has joined #zuul12:20
electrofelixwill look to use that, might have to make a few tweaks to use it for some static slaves as that will be our starting point ;-)12:22
hughsaunders:)12:26
*** rlandy has joined #zuul12:31
*** JasonCL has joined #zuul12:35
*** sshnaidm has quit IRC12:37
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Upgrade to webpack 4  https://review.openstack.org/55198712:39
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Express the bootstrap css depend in css  https://review.openstack.org/55198812:39
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Split status and stream into typescript modules  https://review.openstack.org/55198912:39
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Add typing to getSourceUrl  https://review.openstack.org/55199012:39
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Break build list out into its own module  https://review.openstack.org/55199112:39
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Use glyphicons for status balls  https://review.openstack.org/55199212:39
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Break job out into its own module  https://review.openstack.org/55199312:39
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Break job list out into its own module  https://review.openstack.org/55199412:39
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Break tenant list out into its own module  https://review.openstack.org/55199512:39
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Break project detail and list out into their own module  https://review.openstack.org/55199612:39
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Move webpack html template to web/config  https://review.openstack.org/55199712:39
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Migrate webpack config to typescript  https://review.openstack.org/55199812:40
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Rename javascript package to zuul-dashboard  https://review.openstack.org/55199912:40
* mordred is not actually here today - but had some fun on the airplane yesterday I thought I'd push up12:44
*** sshnaidm has joined #zuul12:45
tobiashmust have been a long flight12:58
openstackgerritMonty Taylor proposed openstack-infra/zuul master: web: add /{tenant}/projects routes  https://review.openstack.org/55097913:00
mordredtobiash: :)13:06
openstackgerritMonty Taylor proposed openstack-infra/zuul master: web: add /{tenant}/pipelines route  https://review.openstack.org/54152113:07
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Rename javascript package to zuul-dashboard  https://review.openstack.org/55199913:07
openstackgerritMonty Taylor proposed openstack-infra/zuul master: dashboard: add /{tenant}/job.html page to display job details  https://review.openstack.org/53554513:07
openstackgerritMonty Taylor proposed openstack-infra/zuul master: dashboard: add /{tenant}/projects.html web page  https://review.openstack.org/53787013:07
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Fix indentation and renable the eslint rule  https://review.openstack.org/54567113:07
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Shift html templates into components  https://review.openstack.org/55132713:07
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Use arrow functions for http callbacks  https://review.openstack.org/55139913:07
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Upgrade to webpack 4  https://review.openstack.org/55198713:07
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Express the bootstrap css depend in css  https://review.openstack.org/55198813:07
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Split status and stream into typescript modules  https://review.openstack.org/55198913:07
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Add typing to getSourceUrl  https://review.openstack.org/55199013:07
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Break build list out into its own module  https://review.openstack.org/55199113:07
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Use glyphicons for status balls  https://review.openstack.org/55199213:07
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Break job out into its own module  https://review.openstack.org/55199313:07
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Break job list out into its own module  https://review.openstack.org/55199413:07
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Break tenant list out into its own module  https://review.openstack.org/55199513:07
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Break project detail and list out into their own module  https://review.openstack.org/55199613:07
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Move webpack html template to web/config  https://review.openstack.org/55199713:07
openstackgerritMonty Taylor proposed openstack-infra/zuul master: Migrate webpack config to typescript  https://review.openstack.org/55199813:07
mordredok. that's it for me for the day13:07
tobiashmordred: have fun with whatever you'll be doing13:07
tristanCcould we make the zuul_stream refactor a post-3.0 thing and release the current master head soon?13:08
tristanCit seems like we lost mordred to a javascript frenzy :-)13:11
tobiashjlk: around?13:23
tobiashI think github3.py broke us13:23
tobiashhttp://paste.openstack.org/show/698721/13:23
openstackgerritTobias Henkel proposed openstack-infra/zuul master: Add new tox-remote job  https://review.openstack.org/55130113:48
openstackgerritTobias Henkel proposed openstack-infra/zuul master: Temporarily fork github3.py  https://review.openstack.org/55202814:13
tobiashjlk, corvus: do we have a better strategy than that ^ ?14:13
tobiashuntil there is a github3.py release14:13
*** jpena is now known as jpena|lunch14:14
tristanCtobiash: another strategy would be to clone a working version into a zuul "vendor" directory14:16
clarkbor just pin it in requirements14:17
tobiashI vote against the vendor directory14:17
tobiashthat's 74M extra14:18
clarkb(you can put a hash in the url used in requirements I think and then specify it to be before the breakage)14:18
openstackgerritTobias Henkel proposed openstack-infra/zuul master: Pin github3.py revision  https://review.openstack.org/55203214:20
tobiashclarkb: like that ^ ?14:20
hughsaunderselectrofelix: pushed another commit to that PR, then merged it, so master is now where its at.14:20
clarkbtobiash: ya14:22
corvustristanC: the main thing about zuul_stream that i was concerned about releasing with was the lack of testing -- if someone finds a bug (and folks have) we can't land a fix because there are no tests (every time we try, we break something else).  however, the new tox-remote job could probably be used to get the extra testing we need there, so if we can make some tests around that in the next couple days, i14:26
corvusthink we could release with that and do the refactor later (with benefit of tests!)14:26
corvustobiash, clarkb: i think we were agreed that if github3.py isn't released before we're ready, we would vendor it14:27
tobiashcorvus: means vendor it pulling it into zuul or mirroring that in openstack?14:28
corvustobiash, clarkb: i guess we could pin for now and still hope it's released before we're ready14:28
tobiashthis lib is huge14:28
corvustobiash: pulling it into the zuul repo.  that way we don't have to release a fork14:28
corvustobiash: maybe we don't pull it all in :)14:28
tobiashcorvus: ok, without tests and git it's 928K14:30
corvustobiash: 73M is tests14:30
corvusya14:30
tobiashwith that I can live14:30
corvustobiash: is there a pr/issue against github3.py for the breakage?14:31
tobiashnot yet14:31
tobiashI just had the time to confirm that the last merged pr broke us14:31
tobiashit's seems to be the huge refactoring jlk was helping with14:32
tobiashcorvus, clarkb: I think the tox-remote job should be ready now14:33
electrofelixhughsaunders: great, it'll probably be a couple more weeks before I can be actively involved aiming for starting in 3-4 weeks14:33
hughsaunderselectrofelix: cool, hopefully we'll have the basic functionality going by then14:33
hughsaunderselectrofelix: I just had the first job execution :D14:33
hughsaunderselectrofelix: but still lots to do around node cleanup14:34
electrofelixevery step brings us closer :D14:35
corvustobiash, clarkb: i think there's a misunderstanding about the jobdir cleanup14:38
corvustobiash, clarkb: see my comment on https://review.openstack.org/55130114:38
tobiashcorvus: responded to the first point14:41
corvustobiash: ok.  i think that's fine for now.  the main downside is it could be fragile and need updating if bwrap is refactored14:42
tobiashcorvus: shall I stick it with a todo?14:42
tobiashmaybe we anyway want to be able to mount stuff into different paths in the future14:43
corvustobiash: nah, i don't know what we'd do.  i'd just leave it14:43
tobiashk14:43
corvustobiash: i don't think so -- that would mean we'd depend on bwrap functionality, could hurt our ability to use other systems.  at least, i wouldn't want to do it without careful thought.14:43
tobiashah right, that needs bind14:44
openstackgerritTobias Henkel proposed openstack-infra/zuul master: Add new tox-remote job  https://review.openstack.org/55130114:45
tobiashthe gh3 pin is green, shall we go with this and then vendor it or directly vendor it?14:48
corvustobiash: let's go with the pin for now and continue to push off vendoring until the last minute14:49
tobiash:)14:49
corvusi just approved the pin14:49
tobiashthanks :)14:49
*** jpena|lunch is now known as jpena15:09
openstackgerritMerged openstack-infra/zuul master: Pin github3.py revision  https://review.openstack.org/55203215:10
kklimondais it technically possible to gate with 2 zuul instances running different configuration and jobs, sharing only gerrit (and projects)?15:14
clarkbnot to gate15:15
kklimondaI'd prefer if an answer to that was no15:15
clarkbbut you can have multiple zuuls providing infromation to gerrit. But only one of them can gate15:15
kklimondaonly one can do the final submit, right?15:15
tobiashyes15:15
kklimondaand it is possible to require +2 votes from two different gerrit users, just a matter of configuration of the "primary" zuul15:16
clarkbin that setup you'd have race issues if primary finished first and couldn't submit15:17
clarkbits probably hackable but would feel clunky at times15:17
kklimondawould there be any risk of two zuul schedulers building a different job graph from the same event stream?15:19
hughsaundersdoes nodepool have a hook for running a script just before marking a request as fulfilled?15:50
clarkbhughsaunders: not anymore, idea is to hvae tools like zuul do that checking instead15:51
clarkbsince they tend to have a richer representation of how to do those things15:51
hughsaundersOK. I've been having issues with Jenkins' auto JDK installation and wanted to try installing it from apt before the node is handed to Jenkins.15:52
hughsaundersI guess I'll have to do that from within the Jenkins Nodepool plugin if nodepool doesn't have a suitable hook.15:53
corvushughsaunders: or you could make a custom image with that installed15:53
hughsaundersMaybe an AptJDKInstallationStrategy could work.15:53
hughsaunderscorvus: yeah, but custom images are sooo much slower on $cloud15:53
corvusclarkb: i think https://review.openstack.org/551301 is ready if you have a sec to re-review16:12
openstackgerritTobias Henkel proposed openstack-infra/zuul master: Fix safe path checks  https://review.openstack.org/55207416:12
openstackgerritTobias Henkel proposed openstack-infra/zuul master: Add further test cases to tox-remote  https://review.openstack.org/55207516:12
clarkblooking now16:12
tobiashcorvus, clarkb ^16:13
*** electrofelix has quit IRC16:18
clarkbgrr gerrit fighting me (working on it though)16:22
clarkbis 552075 not loading in the web ui for anyone else?16:26
clarkbit seems to affect me once I'm logged in but not being logged in it is fine?16:26
tobiashclarkb: just looked at it16:27
clarkbmaybe it is something with my account? this is really weird16:27
tobiashclarkb: 552075 breaks the py35 tests :(16:28
tobiashchecking16:28
tobiashbut tox-remote is green16:28
tobiashI think I spotted the problem16:31
clarkbI'm wondering if this is a local networking problem :(16:32
openstackgerritTobias Henkel proposed openstack-infra/zuul master: Add further test cases to tox-remote  https://review.openstack.org/55207516:33
clarkbI'm not seeing packet loss but other http is also slow16:33
tobiashthat should hopefully fix the tests ^16:34
clarkbI restarted local wifi connection on laptop and it seems happier now16:34
clarkbbut its sad again. I wonder if my ap is unhappy16:39
clarkbok used my phone to approve the base of the stack :)16:41
*** jpena is now known as jpena|brb16:42
tobiashphone is a good fallback :)16:43
kklimondahmm,can  roles be added to the zuul.d/ directory so they don't live in the project root?16:56
openstackgerritMerged openstack-infra/zuul master: Add new tox-remote job  https://review.openstack.org/55130117:00
openstackgerritMerged openstack-infra/zuul master: Fix safe path checks  https://review.openstack.org/55207417:04
clarkbcorvus: tobiash ^17:06
tobiash\o/17:06
tobiash552075 is also green now :_17:06
tobiash:)17:06
corvustobiash: do you want to draft an email to the zuul-announce list describing the vulnerability, or should i?17:11
tobiashI can do after I had something to eat17:11
corvustobiash: ok, thanks :)17:12
corvusi think we only need to restart executors for this... does that sound right?17:13
corvuskklimonda: roles can live alongside playbooks if you don't want the project itself to generally provide a role17:14
kklimonda@corvus but not if that role is used in an external playbook17:14
kklimonda(well, that's a question really :))17:15
corvuskklimonda: right, in that case, it needs to be at the root.  the thinking is that if a role is "exported" so to speak, it should not be in a zuul-specific way.  it should be easy to use by ansible in general.17:16
kklimondawell, those are zuul-specific roles17:16
kklimondaso, to explain what I'm looking into - I have three projects: build-container, deploy-containers, integration-tests17:17
kklimondaI was thinking about putting roles into their corresponding projects17:17
kklimondaso a role used to build containers (used for deployment) would be in the build-container project etc.17:18
kklimondathis way, if the project changes something about containers (for example renames them) it could fix its job at the same time17:19
corvusthose may not be as zuul-specific as they sound: "an ansible role to build the containers"17:19
kklimondabut then I'd have to fix a role used to deploy containers at the same time, and that introduces a dependency cycle17:19
kklimondabuild-container has to test if deploy-container still works, but it requires a change to deploy-container role17:20
kklimondaso perhaps keeping those roles in a common repository, and accepting that we have to add transitions every time we break something, is the way to go afterwards.17:21
corvusput another way, consider whether these can be general purpose ansible roles that you happen to, at the moment, only be running inside of zuul.17:21
kklimondasigh17:21
kklimondathe code for building containers is custom-tailored17:22
kklimondaso we just launch an internal script now really17:22
tobiashcorvus: yes, executor should be enough17:22
kklimondabut some changes "break job API" so to speak - container names change, or tagging scheme, and that requires us to update the job that tests that they can still be deployed17:23
*** jpena|brb is now known as jpena17:24
corvuskklimonda: i think deciding whether you want to force continuity or have an external check on api breakage is a big part of determining where things like that live; you can go either way depending on what workflow you want.17:25
*** rlandy is now known as rlandy|afk17:29
kklimondacorvus: btw, if I want to discuss a larger topic of zuul/nodepool (for example windows support) is coming to vancouver beneficial? What's the format of the summit, is it only presentations all day long, or is there a time for discussions?17:31
corvuskklimonda: there's going to be a concurrent conference called 'opendev' during the summit focused on ci/cd topics, and summit attendees with an interest in that area will be encouraged to attend.  it will have talks, working sessions, and hands-on sessions, so we'll have more opportunities for collaboration.17:34
corvuskklimonda: but it's not going to be like a ptg... so a discussion like that might be more of a hallway track item...17:34
corvuskklimonda: also, tobiash should be part of that discussion, and he may not be in vancouver...17:35
corvuskklimonda: tobiash has done quite a bit to implement windows support, and it's accepted as a feature we want to support.17:36
kklimondawell, I'd still like to meet the people, and it's being paid by my employee, so I'm mostly curious how much will I actually will have to work ;)17:36
tobiashcorvus: maybe I get the chance for vancouver17:37
corvuskklimonda: oh yes, several of us will be there and would be very happy to meet you.  your attendance at opendev would be great regardless :)17:37
corvuskklimonda, tobiash: ^ all the better then :)17:38
tobiashjust got wife-approval and unofficial management approval17:38
tobiashso if it makes sense I try to get there17:38
kklimondacorvus: it shares venue and pass with summit?17:38
corvuskklimonda: yep: http://2018.opendevconf.com/17:38
corvuskklimonda: folks can register for just opendev, but also summit attendees can attend.17:38
kklimondacorvus: the other request I'm hearing from our windows developers is adding support in nodepool for creating separated networks - they are working on SDN and want to isolate tests from each other. Has that been considered in the past?17:40
rcarrillocruzwellll17:40
rcarrillocruzi'd be more than interestad in that one17:40
rcarrillocruzlike17:40
rcarrillocruzper-label networks ?17:40
* rcarrillocruz works on ansible networking btw17:40
corvusi read it as more like "per-request" network17:40
corvusie, "give me 5 nodes and a brand new network"17:41
rcarrillocruzyou can today attach nods to multiple networks17:41
rcarrillocruzbut all nodes get attached to them17:41
rcarrillocruzthat's what i use today17:41
rcarrillocruzcorvus: yeah, that would be awesome for my use cases too17:41
rcarrillocruzcos i have folks asking me how we could test topologies with nodepool17:41
rcarrillocruzper-job/request networks would be awesome17:42
kklimondayeah, also not having to attach every network to every node would be great17:42
rcarrillocruzi honestly don't think it would be much work , just adding networks to per-label and process them in the create_server call17:42
rcarrillocruzkklimonda: if you could open a story, would be happy to take a look17:42
rcarrillocruznext week i'll be in a team meeting, and will discuss things we may need from nodepool/zuul17:43
corvuswe've talked a bit about expanding nodepool to be able to provide more kinds of resources.  i think we'll probably end up doing that.  we didn't want to try to do anything like that before the 3.0 release.  but i think we'll probably need a design document for it.17:43
rcarrillocruz++17:43
kklimondasure17:43
rcarrillocruzcorvus: happy to look , get assigned17:43
corvus('cause it's not just networks, same thing could be useful for storage, etc)17:44
rcarrillocruzi think i could justify work hours from my team as that is a use case we may need implemented17:44
rcarrillocruzright, in networking world is common to have networking images require certain HDDs attached as volumes17:44
rcarrillocruzotherwise they won't boot17:44
rcarrillocruzi can circumvent that by tweaking the booting image and adding partitions/filesystems with guestfs17:45
rcarrillocruzbut would be awesome to have volumes and other resources as first class citizens17:45
corvusi feel like "how to obtain resources needed for tests" in general is a good topic for opendev.17:45
* rcarrillocruz sighs, checks again opendev dates but thinking i'll be parenting newborn17:46
corvusas far as implementation specifics for zuul -- we can talk about it in the hallway in vancouver, or on the mailing list.  and when we have an idea of how it should work, write up a specification.17:46
rcarrillocruz++17:46
tobiashcorvus: https://etherpad.openstack.org/p/CcPPe1NOFa17:50
tobiashprobably needs some polishing by a native speaker ;)17:50
corvustobiash: let's drop 'cve' since we didn't request one17:51
tobiashk17:51
Shrewsnodepool needs are beginning to sound like a cloud for clouds17:52
Shrewsperhaps we should rename to "cloudpool" for 4.0  :)17:52
corvusShrews: yeah, it's the universal cloud api for all instances of all clouds.  but that's what we need.  :)17:52
Shrewsmeh, we're not asking for much. just to support all things in all the various clouds. lol17:53
Shrews4.0 will be fun17:54
kklimondais 4.0 when we can run multiple schedulers for HA/rolling restarts? ;)17:55
tobiashkklimonda: that's on the roadmap17:56
corvustobiash: i'd like to emphasize the role of bubblewrap here a bit more -- does line 13 look ok?  can we maybe insert that as the second sentence and drop the last sentence from line 3?17:58
tobiashthat sounds great17:58
corvustobiash: basically, i want folks to know that if they're running bubblewrap, they're probably okay, and if they aren't, they probably aren't.17:58
corvusokay, i'll move it in17:58
rcarrillocruzShrews: MOAR WORK17:59
corvusfungi, clarkb: can you take a look at https://etherpad.openstack.org/p/CcPPe1NOFa ?18:00
fungiyep18:01
*** myoung|ruck is now known as myoung|afk18:01
*** myoung|afk is now known as myoung|biab18:01
clarkblgtm18:01
corvusdid we by any chance change how hostnames are reported in metrics?18:02
tobiashcorvus: yes there was a change to replace . and : by _18:02
corvustobiash: that matches what i'm seeing in tcpdump.  :)18:03
fungicorvus: that looks fine. if we're interested in adopting some of the more formal process used by the openstack vmt, there are some useful cut-n-paste templates with recommended wording at https://security.openstack.org/vmt-process.html#templates18:03
tobiashcorvus: change 54730918:03
fungisince this is a vulnerability in an unreleased codebase though, a lot of the wording there is probably irrelevant18:04
corvusfungi: oh awesome.  i think we should do that for next time.... i'll let tobiash decide if he wants to reword or just go with what we have so far.18:04
fungii'd recommend at least including information on the reporter of the vulnerability (if they're okay with that) since it's good form to give credit in advisories18:05
tobiashfungi: the reporter was me ;)18:05
fungiyeah, totally up to you tobiash!18:06
fungiif you don't want credit for reporting it, then there's no need to include a sentence saying who reported it18:06
tobiashfungi: you mean this template https://security.openstack.org/vmt-process.html#openstack-security-advisories-ossa ?18:07
fungiin openstackland we tend to get a fair number of vulnerabilities reported by security researchers who like to see themselves or their employers credited for doing that work18:07
fungitobiash: well, the ossa template is actually yaml input to a sphinx extension we use to transform it into restructuredtext (which is then used as a basis for a published html rendering, but also intended to be suitable for e-mailing to mailing lists)18:08
tobiashah, ok18:08
fungii mostly just meant wording we have in the impact description18:09
tobiashah, ok18:09
tobiashlooking18:09
fungithe main points of communicating a vulnerability are to describe the impact (so phrasing it relative to a potential exploit scenario can sometimes be helpful) and letting users know where to get the fix18:10
fungia common trap advisory authors fall into is focusing on implementation details of the vulnerable code or the patch, so we use that impact description template as a reminder to ourselves to stick to (or at least start out with) the most important information18:11
fungithe degree of technical detail worth embedding in an advisory text is just enough to disambiguate it from past or likely future similar vulnerabilities18:12
*** sshnaidm is now known as sshnaidm|afk18:13
fungiideally people interested in the deeper details will look at any linked bug reports or commit messages and code for the fixes you've linked in the advisory anyway so there's not a lot of need to duplicate information which can be found there18:13
corvusokay, so we found a problem with the security patch18:20
corvushttp://logs.openstack.org/22/551822/1/gate/openstack-tox-py27/623f25c/ara/file/71b64ee4-f5b4-49ef-aed3-419a39127f07/#line-418:20
-openstackstatus- NOTICE: Most jobs in zuul are currently failing due to a recent change to zuul; we are evaluating the issue and will follow up with a recommendation shortly. For the moment, please do not recheck.18:21
*** ChanServ changes topic to "Most jobs in zuul are currently failing due to a recent change to zuul; we are evaluating the issue and will follow up with a recommendation shortly. For the moment, please do not recheck."18:21
corvushttp://logs.openstack.org/22/551822/1/gate/openstack-tox-py27/623f25c/18:21
tobiashcorvus: I think I've spotted the problem18:21
tobiashin the playbook dirs we link to the according repos containing the ansible stuff18:21
tobiashthis is probably a symlink and gets resolved before the path check18:22
tobiashmaybe we should change that to use hard linking?18:22
corvustobiash: oh interesting idea18:22
corvushttp://git.openstack.org/cgit/openstack-infra/zuul/tree/zuul/executor/server.py#n115918:23
corvusthat's the code which does the symlinking18:23
tobiashI looked at the comment describing the dir structure http://git.openstack.org/cgit/openstack-infra/zuul/tree/zuul/executor/server.py#n29918:23
tobiashwhich looked pretty similar to the rejected path18:23
dmsimardI've been out all morning so I have little to no context to work with, I'll catch up with the backlog and see if I can help.18:24
fungiavailability of hardlinking tends to be filesystem-specific so may not be a good choice18:24
fungiunless we already make an assumption elsewhere that hardlinks are an acceptable expectation18:25
tobiashfungi: we use hard linking for repos already18:25
tobiashafaik18:26
fungiokay, then i retract my concern ;)18:26
dmsimardfungi: if we see a filesystem constraint, it should be documented -- I think it's reasonable to expect people to deploy on "non-exotic" filesystems18:26
tobiashbut have to double heck18:26
tobiashcheck18:26
dmsimardfungi: and if someone wants to deploy on an exotic filesystem, they can send patches to support it :D18:26
tobiashfungi: at least the disk accountant argues with hard links: http://git.openstack.org/cgit/openstack-infra/zuul/tree/zuul/executor/server.py#n9118:27
dmsimardcorvus: did you send that email from the etherpad already ? I spotted a typo.18:28
fungii expect the announcement isn't going out until we can safely use the patch linked from it18:28
dmsimardok /me fixes typo18:29
corvusdmsimard, fungi: yeah, i'd say that's on hold until we figure out next step18:29
* dmsimard continues catching up with backscroll18:29
*** dtruong has joined #zuul18:30
openstackgerritTobias Henkel proposed openstack-infra/zuul master: Use hard linking for playbook environments  https://review.openstack.org/55211018:31
corvuswhen i wrote the symlink code, i was (a) not aware that a role would need to access files inside its own directories, and so was not aware of the mismatch between the bwrap security model and the path-checking model.  so i didn't think about hard links vs symlinks in that context.18:31
tobiashcorvus: how about that? ^18:31
tobiashcorvus: and maybe we also need to whitelist the playbook dir as I think might not be inside the work dir18:32
tobiashor do we bind that into the work dir during run?18:32
corvusand (b) i was thinking that symlinks provided more debugability than hard links (you could see that a given playbook was either trusted or untrusted by looking at the symlink).  i don't think that's a reason to stick with symlinks.18:33
clarkb18:33
corvustobiash: we don't want to whitelist it because we don't want a job to be able to change the playbook it's running18:33
clarkbsorry18:33
tobiashcorvus: hrm, but we need to allow it as input sources18:34
corvusi wonder if another approach would be to relax the path check on src files...18:34
corvusmaybe work/ and trusted/ are okay for src=18:34
corvusthe nice thing about that is that it would fix dmsimard's problem -- you could use {{ role_path }} explicitly18:35
dmsimardI'm struggling to understand how hard links would be different than symlinks in our context -- they end up pointing to the same "content", a symlink is more or less a redirection but a hard link is a direct reference to the inode so there's no such redirection. Is the problem the content the symlinks can point to ? Or rather the fact that we don't control where they point ?18:35
dmsimard(note I'm still catching up with a LOT of backscroll)18:35
tobiashwhat I don't understand is why does the tox-remote test work (and most other tasks)?18:35
tobiashso this is probably already in the work dir within the bwrap context18:36
corvustobiash: we may not have a test which has a trusted role used by an untrusted playbook18:36
tobiashcorvus: so then I think the symlink may be the only problem18:36
dmsimardcorvus: the reason why we don't allow access to /trusted is because it'd allow someone to modify the content there before running them I guess ?18:36
corvusdmsimard: yep18:37
fungidmsimard: if the inode is accessible to the process in question but there is a pattern match being performed on the dereferenced link target which determines that it doesn't follow an acceptable pattern, a hardlink to the same inode would work around that18:37
dmsimardfungi: but are we trying to prevent people from working around that ?18:37
corvusdmsimard: people, yes.  zuul, no.18:38
corvuswhere is the fetch-testr role?18:39
fungimy understanding is we're talking about how to allow zuul to poke holes in the trusted veil without allowing untrusted jobs to do the same18:39
dmsimardcorvus: so this might be a stupid idea but what if we just "mounted" the trusted content in read only instead ?18:39
tobiashcorvus: zuul-jobs18:39
corvussorry, fetch-subunit-output18:39
corvusfungi: yep, that's how i'd characterize the hard-link option.18:39
corvushrm, why is it in tursted/ ?18:40
dmsimardCould the executor prepare the content outside the bwrap and then mount it read only in the bwrap ? I'm mostly just thinking out loud.18:40
tobiashcorvus: maybe because there is no speculative version of zuul-jobs involved18:40
corvusdmsimard: it is mounted read-only in the bwrap.18:40
tobiashand the base job uses zuul-jobs18:40
corvusdmsimard: brwap is our second level defence.  we're trying to fix the first level, which is patch checking.18:40
dmsimardcorvus: hmm, in the expectation that people can /kind of/ run this without bwrap ?18:41
corvusdmsimard: currently, because of the vulnerability in patch checking, we are relying *only* on the second level defence.18:41
fungifell off the tightrope onto the safety net, but need to get back on the tightrope ;)18:41
corvusfungi: yep18:41
dmsimardwell, I was mostly wondering how people could end up modifying trusted content (re: my earlier question) if the trusted content was mounted read only18:42
corvusdmsimard: i'm not going to recommend anyone do that, though some have expressed an interest.  for me, this is a defence-in-depth exercise.18:42
dmsimardcorvus: +118:42
kklimondadoes the new Depends-On syntax means we can do cross-connection dependencies?18:42
dmsimardkklimonda: yes, it's been tested before18:42
dmsimardbetween shade and ansible iirc ?18:43
corvusdmsimard: the answer is "with bwrap, they can't", but we need to ignore that in order to fix the path check so it stands alone as an effective defense.18:43
kklimondadmsimard: do I have to connect zuul to each source, or can it just use the url to fetch change and its dependencies?18:43
fungikklimonda: the former for now. there's been discussion of potentially supporting some semblance of the latter in the future i think18:43
dmsimardkklimonda: I believe projects need to be in Zuul's main configuration file (where the included projects are listed), hopefully someone can correct me if I'm wrong18:43
*** ChanServ changes topic to "Discussion of the project gating system Zuul | Docs: http://docs.openstack.org/infra/zuul/ | Source: https://git.openstack.org/cgit/openstack-infra/zuul/ | Roadmap: https://storyboard.openstack.org/#!/board/53 | Channel logs: http://eavesdrop.openstack.org/irclogs/%23zuul/"18:43
-openstackstatus- NOTICE: Zuul has been restarted without the breaking change; please recheck any changes which failed tests with the error "Accessing files from outside the working dir ... is prohibited."18:43
corvustobiash: oh, gotcha.  the base job pulled in zuul-jobs, and since there's no change to that, zuul didn't bother to create a non-trusted checkout of it.18:44
kklimondathanks18:44
corvusokay, back to solutions -- have we poked any holes in the hard-link idea, or is it sound?18:46
dmsimardkklimonda: btw to your earlier question, despite not having two "gating" zuuls, it's possible to require a +verified vote from two different zuul instances18:47
tobiashregarding as write destination I don't think there is a real difference18:47
corvustobiash: not sure i understand that18:47
dmsimardkklimonda: you need to look at the "require" stanza http://git.openstack.org/cgit/openstack-infra/project-config/tree/zuul.d/pipelines.yaml#n7018:48
tobiashmaybe we should make the path checks for targets to not rely on bwrap ro-mount18:48
dmsimardkklimonda: (the trigger stanza as well, depends on how you set things up)18:48
corvustobiash: i still don't understand18:48
tobiashcorvus: just thought if there is a different 'overwrite playbooks' risk with hard links than with symlinks18:49
kklimondadmsimard: so the idea is that I guard submit action somehow, probably by creating a new vote type so that submit action is done only after both instances voted?18:50
*** harlowja has joined #zuul18:50
dmsimardkklimonda: in gerrit "submit" is a privilege that you can give to users (or not) -- in OpenStack's gerrit, no users have submit privileges but infra-root can "escalate" their own privileges to have submit privileges18:51
dmsimardkklimonda: so you "guard" against submit through the gerrit ACL18:51
kklimondadmsimard: right, but if I have two zuul instances doing gating, I can't have "primary" zuul submit patch to gerrit until "secondary" zuul voted +218:52
dmsimardkklimonda: what you do at the pipeline level is to require a +verified vote from multiple users to enter gate18:52
fungikklimonda: right, what dmsimard said. and we create a workflow vote which tells our ci system we're ready for a final pass at testing before it should attempt to submit the change for merge18:52
fungikklimonda: hrm, i don't know if we've tried having two zuul deployments relying on each other for decision making18:53
kklimondayes, but this still sounds like a single zuul doing an actual gating, requiring multiple votes to start the gate pipeline - or do I misunderstand something?18:53
fungikklimonda: correct18:53
kklimondaI'd prefer to hear that gating with two zuul is a horrible idea, and I'm a bad person for even considering that18:54
dmsimardkklimonda: there can only ever be one "system" doing the gating, otherwise it's error prone18:54
dmsimardkklimonda: so what you do is to require the two zuuls to return +verified in the "check" pipeline so that a change can enter the "gate" pipeline (on one Zuul)18:54
tobiashkklimonda: it is a horrible idea18:54
kklimondatobiash: thanks ;)18:55
tobiashgating is a sequential process and you simply cannot synchronize two zuuls such that they have the same changes in gate and press the submit button together18:55
dmsimardkklimonda, tobiash: well, hang on -- it's not horrible and there's a use case for it.. For example, if you have third party CI that you want to make "voting".18:55
fungikklimonda: you might be able to have verify +1, +2 and +3 and then have zuul #1 perform its final testing when asked and have it leave a verify +2, then have zuul #2 trigger on a verify +2 comment and leave a verify +318:55
dmsimardBut it'll be "voting" for the "check" pipeline, not the gate pipeline.18:55
fungiit would serialize the final testing between the two of course18:55
kklimondaI'll just go with "there can be only one gate keeper"18:55
corvusokay, if anyone would like to discuss the security issue, please follow me to #openstack-infra-incident18:55
tobiashdmsimard: but that's not two zuuls gating together18:55
kklimondadmsimard: right, we actually run our zuul in this configuration today18:56
kklimondawe have two different CI systems - zuulv3 for linux, and zuulv2 + jenkins for windows18:56
tobiashthe gate is the last validation of the final future state which cannot be done by two independent systems18:56
kklimondaour (noop) gate requires both to vote +118:56
tobiashhaving check in several systems is ok though18:57
kklimondatobiash: yes, my gut feeling was that requiring votes from multiple systems to enter gating is fine, but there can be only one system with the final say in merge.18:58
dmsimardkklimonda: we're on the same wavelength.18:59
tobiashyes19:00
kklimondaIt would be easier if the concept of gating was actually understood better - I have a lot of discussions where people conflate gating and testing19:00
fungiwe keep trying to correct people when they misuse the terminology19:01
kklimondaso now I start every discussion explaining what gating is19:01
fungibut it never seems to sink in19:01
*** rlandy|afk is now known as rlandy19:01
fungifor that matter, people tend to conflate jobs with tests, and good luck getting them to be clear when they're talking about one or the other19:01
*** openstackgerrit has quit IRC19:04
mrhillsmancan i use zuul.yaml to define services to deploy via devstack?19:07
mrhillsmannvm19:09
*** jpena is now known as jpena|off19:12
*** myoung|biab is now known as myoung|ruck19:13
*** openstackgerrit has joined #zuul19:31
openstackgerritTobias Henkel proposed openstack-infra/zuul master: Allow trusted for find_needle  https://review.openstack.org/55212719:31
openstackgerritTobias Henkel proposed openstack-infra/zuul master: Allow trusted for find_needle  https://review.openstack.org/55212720:16
openstackgerritTobias Henkel proposed openstack-infra/zuul master: Allow trusted for find_needle  https://review.openstack.org/55212720:21
openstackgerritTobias Henkel proposed openstack-infra/zuul master: Allow trusted for find_needle  https://review.openstack.org/55212720:23
openstackgerritTobias Henkel proposed openstack-infra/zuul master: Allow trusted for find_needle  https://review.openstack.org/55212720:26
jlktoabctl: I'm here now20:27
SpamapScorvus: FYI, I ended up going rogue and re-did all my slides for the SCALE talk. http://fewbar.com/zuul-ci-crossing-streams/20:27
jlktobiash: er I'm here now.20:27
SpamapSMy favorite slide:20:28
SpamapSSpeculative merging for high velocity merging20:28
SpamapS[ switch to other presentation ]20:28
SpamapSI really would love to have the zuul simulation in some form that could just be iframed or something.20:28
SpamapSjlk: o/20:28
tobiashjlk: o/20:29
dmsimardSpamapS: someone could do one of those fancy animated gifs that illustrates that in some way20:29
dmsimardSpamapS: or asciinema20:29
jlkmy brain tries to read that as "ascii enema"20:29
dmsimardjlk: guinness--20:30
tobiashjlk: so it looks like the latest change to github3.py broke zuul for us (luckily not production ;) )20:30
*** dkranz has quit IRC20:30
jlkoh noes, did he merge that big change? I bet he did.20:31
jlkI've been out of it for a couple weeks20:31
tobiashit looks like it crashes when querying repos without an attached licence?20:31
tobiashyah he merged it a day ago20:31
tobiashwe've merged a pin to requirements.txt before that merge20:31
tobiashas a quick fix20:32
jlkcool. Is there an open issue somewhere that indicates the breakage?20:32
tobiashnot yet20:32
tobiashI was knee deep in the security issues and had just time to do the pin to unbreak us20:32
jlkokay. I'm happy to help work on it, or shepherd a patch through. I'm getting caught back up at work though and won't be able to spend a lot of time immediately on diagnosis.20:33
tobiashI'll be stuck on security fixes and windows integration in nodepool next 1-2 weeks20:34
jlkcool cool. I'll add it to my list to look into it I suppose. Where was it breaking? handling events?20:35
tobiashI think during getBranches in the gh driver20:35
tobiashat least after prime_installation map20:36
tobiashat least my integration zuul refused to start ;)20:37
jlkoh that's pretty fast then. That should be fairly easy to sort out.20:37
jlkI just have to resurrect my set up to launch a pile of containers for this.20:37
tobiashjlk: but maybe it can be even triggered easier by requesting the repo object for a repo without license20:39
tobiashjust as a quick guess without having to resurrect zuul and dealing first with getting it running again ;)20:39
jlkokay, thanks!20:52
openstackgerritTobias Henkel proposed openstack-infra/zuul master: Allow trusted for find_needle  https://review.openstack.org/55212720:59
tobiashcorvus: removed debug print and added a comment ^21:00
Shrewsgah, are we back to meeting 1 hour from now? stupid DST21:01
corvusShrews: first topic on agenda!21:02
corvustobiash: i ran the remote test locally -- it fails the patch test21:02
corvustobiash: hah21:02
Shrewsoh, i certainly ++ any earlier times21:02
corvustobiash: i think that may just be me :)21:02
* corvus installs patch on test node21:03
tobiashmissing patch?21:03
tobiash:)21:03
corvusyep, passes now :)21:03
corvusi'll run the normal test suite locally too21:03
corvusthe previous version of the patch passed all the other jobs21:03
tobiashk21:04
corvusclarkb: can you review https://review.openstack.org/552075 ?21:07
corvusi'd like to land that before we land https://review.openstack.org/55212721:08
clarkbya Im grabbing lunch then will be back to computer21:09
corvusonce we land those, i'd like to restart openstack's executors again, and send out the announcement: https://etherpad.openstack.org/p/CcPPe1NOFa21:11
corvusit's been updated to reference the new patch21:11
corvusalso, in working on this issue, tobias has found another related issue, which we've discussed privately21:12
corvusthe announcement mentions that as well21:12
corvusthe gist is that it looks like there's another way one might bypass these path checks.  again, i think bwrap prevents real damage from occuring.21:13
corvusi think under the circumstances, the most responsible thing to do is to just let folks know there will be at least one more security update related to this, and that using bwrap should mitigate the issue21:14
tobiashyay, 552127 passed zuul-tox-remote :)21:19
openstackgerritJames E. Blair proposed openstack-infra/zuul master: Fix error in test_jobs_executed  https://review.openstack.org/55214221:24
corvustobiash: it also passed my local py35 tests21:24
corvus(except i learned that 552142 is needed)21:25
corvusbut i'm confident enough to request clarkb review both 552127 and 552075 now when he's back from lunch :)21:25
tobiash+2 on 55214221:26
corvustobiash: and if you need to sign off for the evening, i think it's probably okay to send the email to zuul-announce whenever you're ready21:27
*** hashar has quit IRC21:27
tobiashI'll probably awake today until the first topic in the meeting ;)21:28
tobiashok, mail is prepared, just have to press the send button when the time has come21:31
fungithe wording is still what's in https://etherpad.openstack.org/p/CcPPe1NOFa i guess21:33
tobiashyah, I still can change things there21:34
fungii've made a handful of minor (mostly grammatical) edits21:38
tobiashthx21:38
dmsimardI think the emphasis on Bubblewrap is definitely appropriate21:40
dmsimardI mean, we're basically allowing arbitrary users run arbitrary code on the Ansible control node :)21:41
SpamapSI keep forgetting to mention the bubblewrap integration21:42
SpamapSwhich is really cool21:42
fungigranted that's not the intent, and fixing these sorts of bugs is still important21:42
SpamapSalthough I also kind of see it as this like, just good due dilligence we did for when people ask how we protect the executor.21:42
fungiideally zuul will appropriately constrain arbitrary code supplied by arbitrary users, but for now that's not as solid as we want it to be21:42
corvusyes.  though i will say that i was inclined to treat bwrap as required before, and this has only strengthened my conviction on that...21:44
SpamapSThis is why we have two layers of security. :)21:44
dmsimardI discussed a bit with upstream in #ansible-devel (and off the record) about file/path filtering and access in general and it made me think about other means of "restricting" access to things that have nothing to do with python or Ansible -- namely chroots and plain unix permissions (or even filesytem ACLs if we want to get fancy)21:44
SpamapScorvus: agreed.21:44
corvusi wonder if there would be any objection at this point to removing the ability to use nullwrap...?21:44
* clarkb is pulling up changes to revie wnow21:44
fungiright now we're finding holes in our assumptions/implementation where constraining ansible is concerned, but who's to say next time it won't be holes in bubblewrap we're finding and then thankful we have robust constraints in place for ansible?21:44
clarkbI had bun for lunch21:44
SpamapSThe ability to run with it turned off is entirely to allow weird things that nobody should do without patching.21:44
dmsimardgrabbing some food, be back in a while21:44
corvusfungi: indeed21:44
dmsimardfungi: +121:45
SpamapSIdeally we'd have 1 more layer, which is a MAC of some sort.21:45
fungido we know of any deployments which aren't using bubblewrap?21:45
SpamapSnot I21:45
clarkbcorvus: ok so you want 552075 in first?21:46
* clarkb starts there21:46
jlkIs meeting happening in 15 minutes, or did DST throw things around?21:46
fungii recall some of the reason for teh nullwrap was so people could run it on platforms which don't (yet?) support or provide bwrap21:46
corvusjlk: 15m21:46
corvusclarkb: ideally yes21:46
fungibut no idea whether those users were pure speculation21:46
corvusclarkb: i tested the other change with that in place, so i know it's good.  if there's a problem with 552075 we can land the other first though.21:46
SpamapSfungi: one of those platforms is unprivileged docker containers.21:47
SpamapSthough I believe that is solved now21:47
tobiashthe nullwrap driver doesn't support secrets so the only full featured execution wrapper is brwapp anyway21:47
SpamapSand bwrap with USER things in the kernel works unprivileged21:47
fungicool, so yes i have no objection to further crippling/removing the ability to run without bubblewrap for now21:48
SpamapSI'm still of the opinion that it's better to give people a "turn off the security" option than to require them to patch the code to do so. They'll end up running an old patched version of zuul instead of new ones, because they have to keep porting forward their "turn off the security" patch. :-/21:48
*** _ari_ has quit IRC21:49
SpamapSLike unix, I think we should give people enough rope to hang themselves, and then a little more.21:49
*** fbo has quit IRC21:50
fungihrm, yeah i suppose _if_ there are users who want to do that (but are there?) then it's either using outdated insecure zuul or running up to date zuul configured to be insecure. with appropriate flashing warnings around it, i guess the latter is at least no worse than the former21:50
corvusthe danger is if it gets used because of some solveable problem -- like "i didn't know how to install bwrap so i turned it off"21:50
*** _ari_ has joined #zuul21:51
SpamapSSame things happens on Linux. "I didn't know how to use SELinux, so I turned it off. I didn't know how to run the daemon as not-root, so I ran it as root."21:52
*** fbo has joined #zuul21:52
corvusyeah.  i'd like to avoid any suggestion that that's okay.  :)21:52
fungi"a common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools" (douglas adams)21:52
SpamapSAlso one thing I've never looped back to is some integration tests where we try to run evil playbooks with nullwrap to see if they succeed.21:53
corvusbasically, i'd feel better if our security announcements said "we had a problem but bubblewrap protected us" rather than "we had a problem, and as long as you didn't disable bubblewrap you're okay" :)21:53
corvusSpamapS: we have a test framework now for doing that, though it's using bubblewrap, not nullwrap.  so we're running evil playbooks and expecting failure.21:54
corvusSpamapS: https://review.openstack.org/552075 expands on that and adds more tests21:54
SpamapSI suppose you can still detect whether bubblewrap or ansible wrappers saved you21:54
corvusSpamapS: oh... to test bwrap.  hrm.  yeah, the tests we have now all hit the ansible checks, since that's layer 1... i don't think we have a way of testing the *wrap layer without the ansible checks.21:55
SpamapSAnyway I'm still fine with security messages saying "... as long as you didn't disable bubblewrap" which to me is the same thing as "as long as you didn't aim the gun at your foot and pull the trigger, you should be ok."21:56
SpamapSwhat if we rename nullwrap to footgun ?21:56
clarkbcorvus: tobiash can you see the comment on 552075? Other than that I think the change is fine21:56
clarkbwant to make sure I'm not missing anything there21:57
corvusSpamapS: when we created openstack package repos that said "testing-only-do-not-use-in-production" they got used in production.21:57
tobiashlooking21:57
corvusSpamapS: this, in part, informs my position on the footgun-availability subject :|21:57
SpamapSfootgun-this-time-we-mean-it ;)21:57
SpamapSAnother though.. maybe disable it in master, and wait for screams?21:58
SpamapSthought21:58
SpamapSLIke, I know I'm not dependent on it at all.21:58
SpamapSSounds like none of us need it.21:58
tobiashclarkb: oh yes, that was from the pre-mount-stuff-into-bwrap phase21:58
SpamapSso, yeah, chuck it, and if somebody comes out of the wood work..21:58
corvusyeah, we can go ahead and put it out there and see21:58
tobiashclarkb: would you be ok with a followup which removes hte regexp?21:58
clarkbtobiash: sure, I'll go ahead and approve the existing change then21:59
tobiashor shall I update this now?21:59
clarkbtobiash: its fine, I've approved it, will review your followup change as soon as it is up21:59
corvusmeeting time in #openstack-meeting-alt22:00
openstackgerritTobias Henkel proposed openstack-infra/zuul master: Remove superfluous regexp matcher from assemble test  https://review.openstack.org/55215422:01
tobiashclarkb: ^22:01
clarkbcorvus: tobiash I am approvint the allow trusted paths in is safe path change now22:05
corvusclarkb: thx!22:05
tobiash:)22:06
openstackgerritMerged openstack-infra/zuul master: Add further test cases to tox-remote  https://review.openstack.org/55207522:13
*** myoung|ruck is now known as myoung|bbl22:16
openstackgerritMerged openstack-infra/zuul master: Allow trusted for find_needle  https://review.openstack.org/55212722:24
tobiashcorvus: that merged ^ so I can press 'send' now?22:25
corvustobiash: i think so!  i'll have to restart our executors later.. either after the meeting or maybe tomorrow.  best not wait for that.22:28
tobiashok22:28
clarkbcorvus: when meeting is done https://review.openstack.org/#/c/552154/ is a quick followup from the earlier patch set22:57
corvusdone!22:58
clarkbcorvus: following up from the meeting does zuul error by default if you don't have bwrap installed or will it fall back gracefully?23:04
corvusclarkb: it'll error; you have to change the config if you want to use nullwrap23:06
clarkbin that case I think we probably wouldn't have needed a cve even if there had been a zuul release23:07
clarkbsince its very explicitly this is how it should work and if you change it we are telling you it is insecure23:07
corvusgood23:09
corvusi feel like we're skating by though, and i'd like to confront the issue head-on, so i think i'll still start a discussion about dropping nullwrap23:10
corvusi created a zuul-security team in storyboard23:11
corvusi wonder if there's any way for a user to determine whether they are on a team?23:11
*** rlandy is now known as rlandy|bbl23:12
clarkb++ to dropping nullwrap. This case seems to be a good example of why we bwrap23:14
openstackgerritMerged openstack-infra/zuul master: Remove superfluous regexp matcher from assemble test  https://review.openstack.org/55215423:16
pabelangerlooks like I missed some excitement today, and meeting23:33
pabelangerBack online in the morning, but https://review.openstack.org/551015/ is an interesting patch for zuul-fingergw I'd love some feedback on, specifically why that is the fix for OVH. Can't figure out why.23:34
clarkbpabelanger: I'd guess we don't get working ipv6 on ovh so that doesn't work reliably?23:35
clarkbpabelanger: maybe check sysctl -a output for ipv6 things?23:36
pabelangerclarkb: yah, maybe. For some reason, it seems limited there23:36
pabelangersure23:36
clarkbpabelanger: but ya I would look at ifconfig/ip addr output and sysctl -a | grep ipv623:39
pabelangerclarkb: k, trying to collect that now23:40
clarkbalso is it a specific distro behavior?23:40
clarkbpossible that one distro changed how they set up ipv6?23:40
pabelangerclarkb: no, seems to fail on fedora-27, ubuntu-xenial and ubuntu-bionic23:40
abelurI am trying to setup zuul locally ...23:45
abelurany head start pointers on setting up zuul locally and getting started with the dev process?23:45
clarkbabelur: https://docs.openstack.org/infra/zuul/admin/zuul-from-scratch.html is the deployment guide23:46
abelurclarkb: thanks ... is it possible to setup the env with docker?23:48
clarkbabelur: tobias is running it under k8s/openshift, so yes, but I'm not sure there is a documented method for that yet23:49
pabelangerclarkb: http://paste.openstack.org/show/698790/23:52
pabelangernode is also held23:52
clarkbthat looks fine23:53
clarkbnet.ipv6.conf.all.disable_ipv6 = 0 in particular23:53
« Sunday, 2018-03-11 Index Tuesday, 2018-03-13 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!