| clarkb | corvus: https://review.openstack.org/#/c/587580/4/roles/wip-upload-logs-swift/library/zuul_swift_upload.py has a comment saying we won't copy symlinked dirs but the test has a symlinked dir that seems to be in the filelist (symlink_loop_a) | 00:08 |
|---|---|---|
| *** elyezer has joined #zuul | 01:51 | |
| *** swest has quit IRC | 01:52 | |
| *** elyezer has quit IRC | 01:54 | |
| *** swest has joined #zuul | 02:07 | |
| *** threestrands has joined #zuul | 02:11 | |
| *** threestrands has quit IRC | 02:23 | |
| *** hwoarang has quit IRC | 03:52 | |
| tobiash | ianw: a dib upgrade fixed the cleanup problem in the error cases I tested so that looks good | 03:54 |
| ianw | tobiash: ok, thanks; we pick off problems as they appear, but there's plenty of points lurking where things can go wrong that there is still a daemon running, or we don't catch exit status properly etc | 04:06 |
| openstackgerrit | Tristan Cacqueray proposed openstack-infra/zuul master: web: add /{tenant}/job/{job_name} route https://review.openstack.org/550978 | 05:36 |
| openstackgerrit | Tristan Cacqueray proposed openstack-infra/zuul master: web: add /{tenant}/projects and /{tenant}/project/{project} routes https://review.openstack.org/550979 | 05:40 |
| openstackgerrit | Tristan Cacqueray proposed openstack-infra/zuul master: web: add /{tenant}/pipelines route https://review.openstack.org/541521 | 05:44 |
| openstackgerrit | Tristan Cacqueray proposed openstack-infra/zuul master: scheduler: add job's parent name to the rpc job_list method https://review.openstack.org/573473 | 06:01 |
| openstackgerrit | Tristan Cacqueray proposed openstack-infra/zuul master: web: add /{tenant}/labels route https://review.openstack.org/553979 | 06:01 |
| openstackgerrit | Tristan Cacqueray proposed openstack-infra/zuul master: web: add /{tenant}/nodes route https://review.openstack.org/553998 | 06:01 |
| *** jimi|ansible has quit IRC | 06:33 | |
| *** jesusaur has quit IRC | 06:40 | |
| *** jesusaur has joined #zuul | 06:45 | |
| openstackgerrit | Tristan Cacqueray proposed openstack-infra/zuul master: web: add /{tenant}/labels route https://review.openstack.org/553979 | 07:12 |
| tristanC | jhesketh: thanks for all the review on the web route! | 07:14 |
| jhesketh | tristanC: no worries, thanks for putting up with my nit-picking | 07:14 |
| jhesketh | once these are merged I'll do the web-ui side | 07:14 |
| tristanC | about the nodes and labels one, i think we should also consider moving them to nodepool. i put the code in zuul to get an unified endpoint, but we may want to have zuul-web/zuul-webui setting to pull the data from the nodepool webapp | 07:16 |
| tristanC | well, i think nodepool should be merged in zuul, but if it's not going to happen, we need to find a way for user to get access to that data | 07:17 |
| jhesketh | I agree on both parts | 07:20 |
| jhesketh | I think there was a time where nodepool made sense to be separate, but I'm not sure that's true anymore | 07:20 |
| tristanC | another option would be to split the zk.py module in its own project, that would reduce code duplication | 07:22 |
| jhesketh | well it could be a library inside one project or the other and they two projects depend on each other | 07:33 |
| *** jpena|off is now known as jpena | 08:20 | |
| *** jiapei has joined #zuul | 08:36 | |
| *** electrofelix has joined #zuul | 08:49 | |
| *** goern has joined #zuul | 10:04 | |
| *** jpena is now known as jpena|lunch | 11:03 | |
| *** jiapei has quit IRC | 11:47 | |
| *** elyezer has joined #zuul | 11:51 | |
| *** jpena|lunch is now known as jpena | 11:57 | |
| goern | hmm, how do I develop a post-review job? Do I really need to merge something to get a test run triggered?! | 12:06 |
| goern | adding the job itself to a branch of the jobs repo and refering to it via Depends-On is done... | 12:09 |
| *** panda|rover is now known as panda|rover|off | 12:17 | |
| pabelanger | goern: yes, you'll need to merge changes first before able to test them with post-review. | 12:42 |
| goern | pabelanger, hmm, so I better prepare a test repo because testing will require a lot or merging empty commits? or will the new job be used when I enqueue a job again via commandline?! | 13:01 |
| pabelanger | goern: yah, another option is to move the job into a trusted project for testing, then you can test in check. Just be careful not to leak a password in logs, then once working propelry, move job into untrusted project for and test for post-review pipeline | 13:04 |
| *** jimi|ansible has joined #zuul | 13:06 | |
| goern | pabelanger, ack | 13:08 |
| *** swest has quit IRC | 13:44 | |
| *** swest has joined #zuul | 13:45 | |
| dmsimard | corvus: should https://www.youtube.com/watch?v=KXh0sh3ETkQ and https://www.youtube.com/watch?v=6177329H4Tg be on zuul-ci.org ? | 14:05 |
| *** nhicher has joined #zuul | 14:40 | |
| clarkb | jhesketh: tristanC: there continues to be a non zero set of users using nodepool to manage images in particular. But I also think that people have tlaked about using nodepool in conjuncton with eg jenkins | 15:03 |
| openstackgerrit | Monty Taylor proposed openstack-infra/zuul master: Switch storyboard url to be by name https://review.openstack.org/588597 | 15:18 |
| openstackgerrit | Monty Taylor proposed openstack-infra/nodepool master: Switch storyboard url to be by name https://review.openstack.org/588600 | 15:20 |
| openstackgerrit | James E. Blair proposed openstack-infra/zuul master: Add pause/unpause support to scheduler https://review.openstack.org/588610 | 15:44 |
| -openstackstatus- NOTICE: The infra team is renaming projects in Gerrit. There will be a short ~10 minute Gerrit downtime in a few minutes as a result. | 16:04 | |
| openstackgerrit | Monty Taylor proposed openstack-infra/zuul-website master: WIP Add podcast.__init__ audio stream https://review.openstack.org/588615 | 16:05 |
| *** jpena is now known as jpena|off | 16:44 | |
| *** openstackgerrit has quit IRC | 16:49 | |
| *** dmellado has quit IRC | 17:22 | |
| *** gouthamr has quit IRC | 17:23 | |
| *** gouthamr has joined #zuul | 17:26 | |
| -openstackstatus- NOTICE: Project renames and review.openstack.org downtime are complete without any major issue. | 17:30 | |
| *** gouthamr has quit IRC | 17:33 | |
| corvus | clarkb, tobiash: can you +3 https://review.openstack.org/587580 ? i'm uncomfortable leaving that vulnerability open longer than necessary | 17:40 |
| clarkb | corvus: last night I asked about the test on that. symlink_loop/symlink_loop_b is asserted to be a directory but the code says we should skip loops? | 17:42 |
| corvus | clarkb: i believe symlinked directories are created as empty directories (ie, the dirent is there, but there's no content because we don't recurse into it) | 17:44 |
| corvus | (symlink_loop is a real directory) | 17:44 |
| clarkb | gotcha | 17:45 |
| corvus | we could probably eliminate that by doing an is-symlink check when we're adding directories to the list and skip it | 17:45 |
| mnaser | mordred: carrying on that convo, we're pretty much gearing to have our entire infra managed by a single repo so we're running into a lot of interesting issues on how to manage | 17:46 |
| corvus | i'm not sure which is more desirable -- finding an empty directory where you expected some logs, or finding no directory | 17:46 |
| mnaser | the idea is check/gate + post to run ansible and run against all infra, kinda like what infra is aiming to do now | 17:46 |
| mordred | mnaser: awesome! | 17:46 |
| mnaser | but unsure on the whole balance of managing secrets within ansible vs within zuul | 17:46 |
| mordred | mnaser: the thinking infra-side so far has been to keep our secrets on what was puppetmaster.o.o and what is becomming bridge.o.o - and store a secret in zuul that has the ssh key needed to connect to bridge | 17:47 |
| mnaser | so storing a vault password and using it for the ansible run .. or just storing the secrets directly inside zuul and consuming them, still a *shrug* | 17:47 |
| mordred | mnaser: we haven't *done* that yet though | 17:47 |
| mnaser | mordred: i see, so it's not single user workers that run ansible in post pipeline for example | 17:48 |
| mordred | but yeah - similar to the first - storing a vault password - I just don't think we'll bother with vault | 17:48 |
| mordred | that's at least not what we're looking at so far | 17:48 |
| mnaser | i see, if you don't mind me quickly asking, any reason in particular on why not go that route at least | 17:48 |
| mordred | complexity mainly. we have a LOT of secrets in our private hiera - it doenst' seem like a big win, for us, to encode each of them as zuul secrets. but also - rightnow zuul only has one version of ansible available, so we were a little concerned about tying ourselves to that version | 17:50 |
| mordred | so I'd say it's mostly a "how can we move forward in reasonable steps" thing | 17:51 |
| mnaser | mordred: we have a ton of secrets too so that seems like a sensible thing to do | 17:51 |
| * mnaser will have to think about this a bit more | 17:52 | |
| mordred | yah. it's an interesting case ... we're definitely exploring some new ground here :) | 17:52 |
| * mnaser will keep an eyeout | 17:52 | |
| clarkb | corvus: before you dive into fixing nodepool can we context switch back to the symlinks thing? | 18:05 |
| clarkb | corvus: os.walk isn't following symlinks which is how we avoid loops right? | 18:05 |
| corvus | clarkb: it does not recurse into directories which are symlinks | 18:05 |
| corvus | which is how we avoid loops | 18:06 |
| *** electrofelix has quit IRC | 18:06 | |
| clarkb | corvus: where do we check that? we check that the directories share a root but you could symlink loop under the same root right? | 18:06 |
| corvus | the root check isn't about avoiding loops. os.walk's behavior is how we avoid loops. the root check is about symlinking to a file outside of the root to trick a role running trusted on the executor to give you a file you wouldn't normally have access to. | 18:07 |
| clarkb | right ok, the default os.walk behavior is the thing then. Thanks | 18:08 |
| corvus | (ie, bypassing the normal only access files inside the working directory checks we do) | 18:08 |
| clarkb | ya | 18:08 |
| *** openstackgerrit has joined #zuul | 18:35 | |
| openstackgerrit | Merged openstack-infra/zuul-jobs master: Swift logs: don't allow links outside of the supplied path https://review.openstack.org/587580 | 18:35 |
| *** smyers_ has joined #zuul | 18:45 | |
| *** smyers has quit IRC | 18:46 | |
| *** smyers_ is now known as smyers | 18:46 | |
| *** gouthamr has joined #zuul | 19:04 | |
| logan- | mnaser: similar use case here. we're migrating jobs from jenkins to zuul and using zuul secrets to drop an ansible vault password file currently. vault password file can also be a script, so there are some examples out there where the vault password can be loaded into a gpg agent so it is not stored on disk during the run. have not gone that route yet though. | 19:06 |
| mnaser | oh i didnt know the password can be a script, thats interesting | 19:07 |
| *** smyers_ has joined #zuul | 19:27 | |
| *** smyers has quit IRC | 19:28 | |
| *** smyers_ is now known as smyers | 19:28 | |
| *** smyers_ has joined #zuul | 19:55 | |
| *** smyers has quit IRC | 19:56 | |
| *** smyers_ is now known as smyers | 19:56 | |
| *** dmellado has joined #zuul | 19:56 | |
| *** gouthamr has quit IRC | 20:00 | |
| *** smyers has quit IRC | 20:01 | |
| *** smyers has joined #zuul | 20:02 | |
| *** harlowja has joined #zuul | 20:21 | |
| *** rbergeron has quit IRC | 20:35 | |
| *** rbergeron has joined #zuul | 20:35 | |
| *** pcaruana has quit IRC | 21:38 | |
| *** gouthamr has joined #zuul | 21:48 | |
| openstackgerrit | James E. Blair proposed openstack-infra/zuul-jobs master: Un-wip upload-logs-swift https://review.openstack.org/588677 | 22:48 |
| openstackgerrit | Merged openstack-infra/zuul-jobs master: Add HTMLify logs role https://review.openstack.org/588105 | 23:09 |
| *** harlowja has quit IRC | 23:48 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!